When connecting a zero client to a PCoIP endpoint using a View Connection Server or PCoIP Connection Manager session connection type, the padlock icon and "https" text on the user login screen indicates whether the HTTPS connection is trusted or untrusted (see Making a Trusted HTTPS Connection and Making an Untrusted HTTPS Connection for examples).
This section explains the certificate requirements that must be in place for each server type in order to have a trusted HTTPS connection. The tables below show which requirements are necessary for each zero client certificate checking mode.
Note: If you use Auto Detect mode to connect, either the View Connection Server or PCoIP Connection Manager criteria are applied, depending on the server type.
When connecting to a View Connection Server, the certificate requirements are as follows:
View Connection Server Certificate Requirements
Certificate Requirement | Never connect to untrusted servers | Warn before connecting to untrusted servers | Do not verify server certificates |
---|---|---|---|
Valid according to computer clock (not expired and not valid only in the future). |
Required |
The certificate is accepted if the time is not valid but all other requirements are met. Warn the user before proceeding. |
Not checked |
Certificate subject or a subject alternative name must match the VCS address. |
Required |
Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. |
Not checked |
Certificate must have the serverAuth enhanced key usage. |
Required |
Required |
Not checked |
Certificate chain of trust must be rooted in device's local certificate store. |
Required |
Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. |
Not checked |
Certificate must not be revoked (checked using OCSP (Offensive Security Certified Professional) only if there is a OCSP responder address in the certificate). |
Required |
Required |
Not checked |
When connecting to a PCoIP Connection Manager, the certificate requirements are as follows:
PCoIP Connection Manager Certificate Requirements
Certificate Requirement | Never connect to untrusted servers | Warn before connecting to untrusted servers | Do not verify server certificates |
---|---|---|---|
Valid according to computer clock (not expired and not valid only in the future). |
Required |
Required |
Not checked |
Certificate subject or a subject alternative name must match the VCS address. |
Required |
Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. |
Not checked |
Certificate must have the serverAuth enhanced key usage. |
Required |
Required |
Not checked |
Certificate chain of trust must be rooted in device's local certificate store. |
Required |
Warn the user when certificate is not trusted. |
Not checked |
Certificate must not be revoked (checked using Offensive Security Certified Professional (OSCP) only if there is a OCSP responder address in the certificate). |
Required |
Required |
Not checked |
RSA Key Length must be at least 1024 bits. |
Required |
Required |
Not checked |