When you add vCenter Server instances to VMware Horizon 8, you must ensure that the TLS certificates that are used for the vCenter Server are valid and trusted by Connection Server. If the default certificates that are installed with vCenter Server are still in place, you must determine whether to accept these certificates' thumbprints.
If a vCenter Server instance is configured with a certificate that is signed by a CA, and the root certificate is trusted by Connection Server, you do not have to accept the certificate thumbprint. No action is required.
If you replace a default certificate with a certificate that is signed by a CA, but Connection Server does not trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate is the same as another certificate, such as the certificate that was accepted previously.
For details about configuring TLS certificates, see TLS.
You first add vCenter Server in Horizon Console by using the Add vCenter Server wizard. If a certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server and vCenter Server.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
- When Horizon Console displays an Invalid Certificate Detected dialog box, click View Certificate.
- Examine the certificate thumbprint in the Certificate Information window.
- Examine the certificate thumbprint that was configured for the vCenter Server instance.
Similarly, examine the certificate thumbprint for a SAML authenticator. If appropriate, take the preceding steps on the SAML authenticator host.
- On the vCenter Server host, start the MMC snap-in and open the Windows Certificate Store.
- Navigate to the vCenter Server certificate.
- Click the Certificate Details tab to display the certificate thumbprint.
- Verify that the thumbprint in the Certificate Information window matches the thumbprint for the vCenter Server instance.
Similarly, verify that the thumbprints match for a SAML authenticator.
- Determine whether to accept the certificate thumbprint.
Option Description The thumbprints match. Click Accept to use the default certificate. The thumbprints do not match. Click Reject.
Troubleshoot the mismatched certificates. For example, you might have provided an incorrect IP address for vCenter Server.