A self-signed TLS server certificate cannot give Horizon Client sufficient protection against threats of tampering and eavesdropping. To protect your desktops from these threats, you must replace the generated self-signed certificate.

When Horizon Agent Direct-Connection Plug-In (formerly View Agent Direct-Connection Plug-In) starts for the first time after installation, it automatically generates a self-signed TLS server certificate and places it in the Windows Certificate Store. The TLS server certificate is presented to Horizon Client during the TLS protocol negotiation to provide information to the client about this desktop. This default self-signed TLS server certificate cannot give guarantees about this desktop, unless it is replaced by a certificate signed by a Certificate Authority (CA) that is trusted by the client and is fully validated by the Horizon Client certificate checks.

The procedure for storing this certificate in the Windows Certificate Store and the procedure for replacing it with a proper CA signed certificate, are the same as those used for Connection Server. See "Configuring TLS Certificates for Horizon Servers," in the Horizon 8 Installation and Upgrade document for details on this certificate replacement procedure.

Certificates with Subject Alternative Name (SAN) and wildcard certificates are supported.

Note: To distribute the CA signed TLS Server Certificates to a large number of desktops using the Horizon Agent Direct-Connection Plug-In, use Active Directory Enrollment to distribute the certificates to each virtual machine.