To comply with industry or jurisdiction security regulations, you can replace the default SSL certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA.

In View 5.2 or later releases, the PSG service creates a default, self-signed SSL certificate when the service starts up. The PSG service presents the self-signed certificate to clients running View Client 2.0 (or View Client 5.2 for Windows) or later releases that connect to the PSG.

The PSG also provides a default legacy SSL certificate that is presented to clients running View Client 1.7 (or View Client 5.1 for Windows) or earlier releases that connect to the PSG.

The default certificates provide secure connections from View Clients to the PSG and do not require further configuration in View Administrator. However, configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing.

Although it is not required, you are most likely to configure new CA-signed SSL certificates for your View servers before you replace the default PSG certificate with a CA-signed certificate. The procedures that follow assume that you already imported a CA-signed certificate into the Windows certificate store for the View server on which the PSG is running.

Note

If you are using a security scanner for compliance testing, you might want to start by setting the PSG to use the same certificate as the View server and scan the View port before the PSG port. You can resolve trust or validation issues that occur during the scan of the View port to ensure that these issues do not invalidate your test of the PSG port and certificate. Next, you can configure a unique certificate for the PSG and do another scan.

1

When a View Connection Server instance or security server is installed, the installer creates a registry setting with a value that contains the FQDN of the computer. You must verify that this value matches the server name part of the URL that security scanners use to reach the PSG port. The server name also must match the subject name or a subject alternate name (SAN) of the SSL certificate that you intend to use for the PSG.

2

To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.

3

The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running.

4

You can ensure that all View Client connections to the PSG use the CA-signed certificate for the PSG instead of the default legacy certificate. This procedure is not required to configure a CA-signed certificate for the PSG. Take these steps only if it makes sense to force the use of a CA-signed certificate in your View deployment.