Do I need a public CA if I want to access my virtual desktops from public/internet using Horizon Client or Web(HTML) client? I have an Enterprise CA that I tried to use but whenever I access my virtual desktops from public/internet it still shows untrusted.
You either need to have a certificate from an official CA, or distribute your CA's root, and intermediate certificated your clients, so that they can import them to their certificate store, thus trusting the Horizon certificate. It's also possible to only distribute the root certificate, and combine the intermediate certificate with the one that you configure on the Horizon server.
Just to clarify the wording: It's not the CA (Certificate Authority) that you want to distribute, but just certificates.
I don't want to confuse you with technical details, so here are the steps in short, assuming the you are using a WIndows OS:
The exported CER Files are basically small text files.
Now import these certificates on a system that doesn't already have them (i.e. the ones outside of your enterprise) so that the Horizon certificate will be trusted.
There is a feature on the Horizon Connection Server that helps overcome these constraints. You can configure the use of the Blast Secure Gateway to provide secure access to remote desktops and applications only when HTML Access is used locally.
For an internal, HTML Access connection, the Blast protocol traffic session is routed through the Connection Server and is presented with its SSL certificate. This removes the need for the virtual desktop to have a verifiable SSL certificate.
See https://techzone.vmware.com/resource/understand-and-troubleshoot-horizon-connections#HTML_Client_Acc... for details on this and how to configure.
Actually the problem was that the hash algorithm that i am using was not very strong. I used SHA1. So I generated a new SSL certificates with hash algorithm using SHA256 and after that all the browsers and the horizon client are now trusting it.