A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration.

You can request an TLS server certificate that is specific to a Web domain such as www.mycorp.com, or you can request a wildcard TLS server certificate that can be used throughout a domain such as *.mycorp.com. To simplify administration, you might choose to request a wildcard certificate if you need to install the certificate on multiple servers or in different subdomains.

Typically, domain-specific certificates are used in secure installations, and CAs usually guarantee more protection against losses for domain-specific certificates than for wildcard certificates. If you use a wildcard certificate that is shared with other services, the security of the VMware Horizon 8 product also depends on the security of those other services. If you use a wildcard certificate, you must ensure that the private key is transferable between servers.

When you replace the default certificate with your own certificate, clients use your certificate to authenticate the server. If your certificate is signed by a CA, the certificate for the CA itself is typically embedded in the browser or is located in a trusted database that the client can access. After a client accepts the certificate, it responds by sending a secret key, which is encrypted with the public key contained in the certificate. The secret key is used to encrypt traffic between the client and the server.