VMware strongly recommends that you configure TLS certificates that are signed by a valid Certificate Authority (CA) for use by Horizon Connection Server instances.

Default TLS certificates are generated when you install Connection Server. Although you can use the default, self-signed certificates for testing purposes, replace them as soon as possible. The default certificates are not signed by a CA. Use of certificates that are not signed by a CA can allow untrusted parties to intercept traffic by masquerading as your server.

In a Horizon 8 environment, replace the default certificate that is installed with vCenter Server with a certificate that is signed by a CA. You can use openTLS to perform this task for vCenter Server. For details, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/techresources/.