Amazon certificate change may affect PCoIP Zero Clients connecting to Amazon WorkSpaces

Rate this Article
Average: 1 (1 vote)

September 2, 2020

Last modified: 09/03/2023, 6:12 pm

Knowledge Base Article Troubleshooting Session Security Third Party Enhancements Zero Clients

Problem

When connecting to Amazon WorkSpaces, certificate errors are presented to the user.

Scenario 1: Users of zero clients that have the Never connect to untrusted servers using the Amazon WorkSpaces session connection type connecting to Amazon WorkSpaces may see a certificate warning or error message. This can occur if Amazon changes their appliance certificate.

AWS_Cert

 

Scenario 2: Users of zero clients that have the Warn before connecting to untrusted servers setting and using the Amazon WorkSpaces session connection type displays a certificate warning when connecting to Amazon WorkSpaces.

AWS_CErt

 

 

Cause

Amazon Web Services have recently changed their server certificates. PCoIP Zero Clients configured to either not connect, or to warn when connecting to an untrusted server will now identify those servers as untrusted until the root certificate can be found in its certificate store.

For more information, see Amazon's How to Prepare for AWS's Move to Its Own Certificate Authority security blog post.

 

Resolution

Upload the new AWS root certificate to the PCoIP Zero Client certificate store using the PCoIP Management Console or PCoIP Zero Client Administrators Web Interface. See the PCoIP Management Console or PCoIP Zero Client Administrators' Guide for more information.

Note: Users using the PCoIP Connection Manager session connection type with Teradici PCoIP Connection Manager for Amazon WorkSpaces, are not affected by this change.

 

Obtaining a Certificate

The following steps were performed using the Firefox web browser, other browsers may have slightly different steps.

  1. The Amazon documentation points to https://www.amazontrust.com/repository/ as the location for the Amazon Trust Services repository. Validate this is correct and navigate to this page.
  2. Listed on the page is Amazon Root Certificate Authorities and their Distinguished Name, SHA-256 Has of Subject PKI as well as the Self-Signed Certificate in DER and PEM format.
  3. Download the PEM files for each Root Certificate Authority.
  4. Upload the certificate to your PCoIP Zero Client Certificate store and connect to your WorkSpace.

 https://docs.aws.amazon.com/workspaces/latest/userguide/client_troubleshooting.html#certificate-issues-zero-clients