Author: Juhwan Song (sjuhwan)

Date of Creation: 2025/11/27

Last Modified Date: 2025/11/27

Introduction

When building a high-availability architecture for Omnissa Horizon, administrators must manage TLS certificates for multiple UAGs and connection servers. Particularly for UAGs, which are often exposed to external networks, the CA/Browser Forum has decided to shorten the maximum validity period for TLS certificates to 47 days, since March 15, 2029. Consequently, the existing manual rotation cycle of one year is no longer valid.

Omnissa Horizon provides a method to replace UAG certificates via REST API. However, since no documentation existed explaining this method, I’ve tested performing certificate rotation using the REST API in a home lab environment and documented the process, including example scripts.

The complete procedure for certificate rotation is as follows:

1. Issue a certificate for the UAG in HashiCorp Vault
2. Log in to the UAG and enable Quiesce Mode
3. Wait for active sessions in Horizon View to drain
4. Perform certificate rotation when active sessions reach zero
5. Deactivate Quiesce Mode

This procedure is necessary because UAG immediately terminates all connected sessions upon certificate change. Connection drain via Quiesce Mode is essential to prevent unintended work interruptions and data loss. Additionally, a load balancer must be configured in front of UAG to accept new connections during the drain process.

Prerequisites

• Omnissa Horizon 2503/2506
• HashiCorp Vault 1.20.x or later
• Load Balancer (L4 TCP LB for UAG)