Requirements for Trusted Server Connections

When connecting a zero client to a PCoIP endpoint using a View Connection Server or PCoIP Connection Manager session connection type, the padlock icon and "https" text on the user login screen indicates whether the HTTPS connection is trusted or untrusted (see Making a Trusted HTTPS Connection and Making an Untrusted HTTPS Connection for examples).

Closed padlock with green "https" text: The connection is secured with HTTPS and the server's certificate is trusted by the zero client.
Open padlock with red strikethrough"https: text: The connection is secured with HTTPS, but the server's certificate is not trusted by the zero client.

This section explains the certificate requirements that must be in place for each server type in order to have a trusted HTTPS connection. The tables below show which requirements are necessary for each zero client certificate checking mode.

Note: If you use Auto Detect mode to connect, either the View Connection Server or PCoIP Connection Manager criteria are applied, depending on the server type.

View Connection Server Requirements

When connecting to a View Connection Server, the certificate requirements are as follows:

View Connection Server Certificate Requirements

Certificate Requirement	Never connect to untrusted servers	Warn before connecting to untrusted servers	Do not verify server certificates
Valid according to computer clock (not expired and not valid only in the future).	Required	The certificate is accepted if the time is not valid but all other requirements are met. Warn the user before proceeding.	Not checked
Certificate subject or a subject alternative name must match the VCS address.	Required	Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates.	Not checked
Certificate must have the serverAuth enhanced key usage.	Required	Required	Not checked
Certificate chain of trust must be rooted in device's local certificate store.	Required	Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates.	Not checked
Certificate must not be revoked (checked using OCSP (Offensive Security Certified Professional) only if there is a OCSP responder address in the certificate).	Required	Required	Not checked

PCoIP Connection Manager Requirements

When connecting to a PCoIP Connection Manager, the certificate requirements are as follows:

PCoIP Connection Manager Certificate Requirements

Certificate Requirement	Never connect to untrusted servers	Warn before connecting to untrusted servers	Do not verify server certificates
Valid according to computer clock (not expired and not valid only in the future).	Required	Required	Not checked
Certificate subject or a subject alternative name must match the VCS address.	Required	Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates.	Not checked
Certificate must have the serverAuth enhanced key usage.	Required	Required	Not checked
Certificate chain of trust must be rooted in device's local certificate store.	Required	Warn the user when certificate is not trusted.	Not checked
Certificate must not be revoked (checked using Offensive Security Certified Professional (OSCP) only if there is a OCSP responder address in the certificate).	Required	Required	Not checked
RSA Key Length must be at least 1024 bits.	Required	Required	Not checked