You must follow certain guidelines for configuring TLS certificates for VMware Horizon 8 servers and related components.

Horizon Connection Server

TLS is required for client connections to a server. Client-facing Connection Server instances and intermediate servers that terminate TLS connections require TLS server certificates.

By default, when you install Connection Server, the installation generates a self-signed certificate for the server. However, the installation uses an existing certificate in the following cases:
  • If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store
  • If you upgrade to VMware Horizon 8 from an earlier release, and a valid keystore file is configured on the Windows Server computer, the installation extracts the keys and certificates and imports them into the Windows Certificate Store.

vCenter Server

Before you add vCenter Server to VMware Horizon 8 in a production environment, make sure that vCenter Server uses certificates that are signed by a CA.

For information about replacing the default certificate for vCenter Server, see "Certificate Replacement in Large Deployments" in the vSphere Authentication document on the VMware vSphere Documentation site.

PCoIP Secure Gateway

To comply with industry or jurisdiction security regulations, you can replace the default TLS certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing. See TLS.

Blast Secure Gateway

By default, the Blast Secure Gateway (BSG) uses the TLS certificate that is configured for the Connection Server instance on which the BSG is running. If you replace the default, self-signed certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.

SAML 2.0 Authenticator

VMware Workspace ONE Access uses SAML 2.0 authenticators to provide Web-based authentication and authorization across security domains. If you want VMware Horizon 8 to delegate authentication to VMware Workspace ONE Access, you can configure VMware Horizon 8 to accept SAML 2.0 authenticated sessions from VMware Workspace ONE Access. When VMware Workspace ONE Access is configured to support VMware Horizon 8, VMware Workspace ONE Access users can connect to remote desktops by selecting desktop icons on the Horizon User Portal.

In Horizon Console, you can configure SAML 2.0 authenticators for use with Connection Server instances.

Before you add a SAML 2.0 authenticator in Horizon Console, make sure that the SAML 2.0 authenticator uses a certificate that is signed by a CA.

Additional Guidelines

For general information about requesting and using TLS certificates that are signed by a CA, see TLS.

When client endpoints connect to a Connection Server instance, they are presented with the server's TLS server certificate and any intermediate certificates in the trust chain. To trust the server certificate, the client systems must have installed the root certificate of the signing CA.

When Connection Server communicates with vCenter Server, Connection Server is presented with TLS server certificates and intermediate certificates from this server. To trust the vCenter Server, the Connection Server computer must have installed the root certificate of the signing CA.

Similarly, if a SAML 2.0 authenticator is configured for Connection Server, the Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.