By default, the Horizon Agent for Linux installer generates a self-signed certificate for the VMwareBlastServer daemon, which handles communications with clients using the Blast display protocol. To comply with industry or security regulations, you can replace the self-signed certificate for VMwareBlastServer with a certificate that is signed by a Certificate Authority (CA).

  • When the Blast Security Gateway is not enabled on the Horizon Connection Server, VMwareBlastServer presents the default self-signed certificate to the browser that uses HTML Access to connect to the Linux desktop.
  • When the Blast Security Gateway is enabled on the Horizon Connection Server, the Blast Security Gateway presents its certificate to the browser.

To replace the default self-signed certificate for VMwareBlastServer with a CA-signed certificate, complete the following steps.

Procedure

  1. Add the private key and the CA-signed certificate to /etc/vmware/ssl.
    1. Rename the private key to rui.key and the certificate to rui.crt.
    2. Set read and executable permissions on /etc/vmware/ssl. 
      sudo chmod 550 /etc/vmware/ssl
    3. Copy rui.key and rui.crt to /etc/vmware/ssl.
    4. Remove executable permissions on /etc/vmware/ssl. 
      chmod 440 /etc/vmware/ssl
  2. Install the root and intermediate CA certificates into the Linux OS Certificate Authority store.
    For information about additional system settings that must be changed to support the CA certificate chain, refer to the documentation for your Linux distribution.