You must follow certain guidelines for configuring TLS certificates for VMware Horizon servers and related components.
Horizon Connection Server
TLS is required for client connections to a server. Client-facing Connection Server instances and intermediate servers that terminate TLS connections require TLS server certificates.
- If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store
- If you upgrade to VMware Horizon from an earlier release, and a valid keystore file is configured on the Windows Server computer, the installation extracts the keys and certificates and imports them into the Windows Certificate Store.
vCenter Server
Before you add vCenter Server to VMware Horizon in a production environment, make sure that vCenter Server uses certificates that are signed by a CA.
For information about replacing the default certificate for vCenter Server, see "Certificate Replacement in Large Deployments" in the vSphere Authentication document on the VMware vSphere Documentation site.
PCoIP Secure Gateway
To comply with industry or jurisdiction security regulations, you can replace the default TLS certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing. See TLS.
Blast Secure Gateway
By default, the Blast Secure Gateway (BSG) uses the TLS certificate that is configured for the Connection Server instance on which the BSG is running. If you replace the default, self-signed certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.
SAML 2.0 Authenticator
VMware Workspace ONE Access uses SAML 2.0 authenticators to provide Web-based authentication and authorization across security domains. If you want VMware Horizon to delegate authentication to VMware Workspace ONE Access, you can configure VMware Horizon to accept SAML 2.0 authenticated sessions from VMware Workspace ONE Access. When VMware Workspace ONE Access is configured to support VMware Horizon, VMware Workspace ONE Access users can connect to remote desktops by selecting desktop icons on the Horizon User Portal.
In Horizon Console, you can configure SAML 2.0 authenticators for use with Connection Server instances.
Before you add a SAML 2.0 authenticator in Horizon Console, make sure that the SAML 2.0 authenticator uses a certificate that is signed by a CA.
Additional Guidelines
For general information about requesting and using TLS certificates that are signed by a CA, see TLS.
When client endpoints connect to a Connection Server instance, they are presented with the server's TLS server certificate and any intermediate certificates in the trust chain. To trust the server certificate, the client systems must have installed the root certificate of the signing CA.
When Connection Server communicates with vCenter Server, Connection Server is presented with TLS server certificates and intermediate certificates from this server. To trust the vCenter Server, the Connection Server computer must have installed the root certificate of the signing CA.
Similarly, if a SAML 2.0 authenticator is configured for Connection Server, the Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.