Q about SSL certificates needed with SGA and Frame with ADFS

  • 6 November 2020
  • 3 replies

Hello! This is my first question.

So we are planning on installing the Frame VDI product, and using the SGA (Streaming Gateway Appliance) on the DMZ, as the Web Application Proxy that authenticates with our ADFS server. And I’m wondering about the public SSL certificates needed. We are being told by Nutanix that “You will need a wildcard cert for a subdomain off of your main domain. So a cert for something like *”. I’ve asked for more clarification, and my rep doesn’t seem to know. 

So what I am wondering is: do I need to get a public certificate for my internal ADFS server in that same “sga.” sub-domain? i.e.,

What’s really throwing me is that the ADFS server’s FQDN is for our AD domain, which isn’t the same as our public domain name, of course. I’m guessing if I get a certificate for that server in a name that isn’t part of our internal DNS, I need to make a DNS alias for it. And, what SANs (Subject Alternate Names) do I need to include in the CSR.

So how do I go about this? How did YOU go about this? I need the certificates before I can install the SGA (the documentation says). So I need to know how to generate a CSR.


Thanks for any insight.

This topic has been closed for comments

3 replies

Userlevel 2
Badge +4

Hello Mike,

Here are quick documents that can help:


Hello Mike,

Here are quick documents that can help:


Thanks, but no, that doesn’t. I’ve looked over those, before asking. They all just pre-suppose a public cert, not telling me why I need one (as opposed to an internally issued certificate).


I think we’ve decided to just go to the expensive of getting a public certificate, even though I’m still not certain I could have made it work with our free internally issued certificate.

Thanks for the help.


Badge +9

I am on the same journey you are.

What I have done and I should find out if it will work this week, if support calls me back….


I purchased a new public domain ( and then made an entry for Frame. So

I then using certbot manually got a wildcard cert for *