Requirements for Trusted Server Connections¶
When connecting a Tera2 PCoIP Zero Client to a PCoIP endpoint using a View Connection Server or PCoIP Connection Manager session connection type, the padlock icon and 'https' text on the user login screen indicates whether the HTTPS connection is trusted or untrusted, see Connecting a Session for details.
- Closed padlock with green 'https' text: The connection is secured with HTTPS and the server’s certificate is trusted by the Tera2 PCoIP Zero Client.
- Open padlock with red strikethrough 'https:' text: The connection is secured with HTTPS, but the server’s certificate is not trusted by the Tera2 PCoIP Zero Client.
This section explains the certificate requirements that must be in place for each server type in order to have a trusted HTTPS connection. The following tables show which requirements are necessary for each Tera2 PCoIP Zero Client certificate checking mode.
Criteria Applied for Auto Detect Mode
If you use Auto Detect mode to connect, either the View Connection Server or PCoIP Connection Manager criteria are applied, depending on the server type.
View Connection Server Requirements¶
When connecting to a View Connection Server, the certificate requirements are as follows:
View Connection Server Certificate Requirements
| Certificate Requirement | Never connect to untrusted servers | Warn before connecting to untrusted servers | Do not verify server certificates |
|---|---|---|---|
| Valid according to computer clock (not expired and not valid only in the future). | Required | The certificate is accepted if the time is not valid but all other requirements are met. Warn the user before proceeding. | Not checked |
| Certificate subject or a subject alternative name must match the VCS address. | Required | Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. | Not checked |
| Certificate must have the serverAuth enhanced key usage. | Required | Required | Not checked |
| Certificate chain of trust must be rooted in device’s local certificate store. | Required | Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. | Not checked |
| Certificate must not be revoked (checked using OCSP (Offensive Security Certified Professional) only if there is a OCSP responder address in the certificate). | Required | Required | Not checked |
PCoIP Connection Manager Requirements¶
When connecting to a PCoIP Connection Manager, the certificate requirements are as follows:
PCoIP Connection Manager Certificate Requirements
| Certificate Requirement | Never connect to untrusted servers | Warn before connecting to untrusted servers | Do not verify server certificates |
|---|---|---|---|
| Valid according to computer clock (not expired and not valid only in the future). | Required | The certificate is accepted if the time is not valid but all other requirements are met. Warn the user before proceeding. | Not checked |
| Certificate subject or a subject alternative name must match the VCS address. | Required | Not required if the server certificate is self-signed. Warn the user before proceeding. Required for all CA-signed certificates. | Not checked |
| Certificate must have the serverAuth enhanced key usage. | Required | Required | Not checked |
| Certificate chain of trust must be rooted in device’s local certificate store. | Required | Warn the user when certificate is not trusted. | Not checked |
| Certificate must not be revoked (checked using OCSP (Offensive Security Certified Professional) only if there is a OCSP responder address in the certificate). | Required | Required | Not checked |