Follow VMware security recommendations by using fully qualified domain names (FQDNs) for your certificates, no matter which type you select. Do not use a simple server name or IP address, even for communications within your internal domain.

Single Server Name Certificate

You can generate a certificate with a subject name for a specific server. For example: dept.company.com.

This type of certificate is useful if, for example, only one Connection Server instance needs a certificate.

When you submit a certificate signing request to a CA, you provide the server name that will be associated with the certificate. Be sure that the Horizon server can resolve the server name you provide so that it matches the name associated with the certificate.

Subject Alternative Names

A Subject Alternative Name (SAN) is an attribute that can be added to a certificate when it is being issued. You use this attribute to add subject names (URLs) to a certificate so that it can validate more than one server.

For example, a certificate might be issued for a server with the host name dept.company.com. You intend the certificate to be used by external users connecting to Horizon through Connection Server. Before the certificate is issued, you can add the SAN dept-int.company.com to the certificate to allow the certificate to be used on Connection Server instances behind a load balancer when tunneling is enabled.

Wildcard Certificate

A wildcard certificate is generated so that it can be used for multiple services. For example: *.company.com.

A wildcard is useful if many servers need a certificate. If other applications in your environment in addition to Horizon need TLS certificates, you can use a wildcard certificate for those servers, too. However, if you use a wildcard certificate that is shared with other services, the security of the VMware Horizon product also depends on the security of those other services.