Jump to content
Welcome to our new Citrix community!
  • Binding Your SSL Server Certificate to the Citrix Broker Service


    cugcblogs

    by Ray Kareer

    Citrix has a guide on how to create/bind your SSL Server Certificate to the Citrix Broker Service in order to secure your communication between Storefront and your Delivery Controllers. Setting it up for VirtualApps and VitualDesktops 7.x for the first time can be done by following CTX130213 article for XenDesktop 5.

    Here are some of the links I used for this article:

    https://support.citrix.com/article/CTX130213

    https://docs.microsoft.com/en-us/windows/desktop/Http/add-sslcert

    https://docs.microsoft.com/en-us/powershell/module/networktransition/add-netiphttpscertbinding?view=win10-ps

    However, once you have this set up, there will be a need to re-bind a renewed SSL server Certificate to the Citrix Broker Service before the certificate is about to expire. So I decided to make a simple PowerShell script that can do the binding for you once you have a new certificate imported on your Delivery Controller's personal store all ready to go. The following script can be run from the Delivery Controller once the new Certificate is imported into the computer's Personal store to quickly bind it to the Citrix Broker Service on port 443 applying to all the local IPv4 addresses of the server. It can bind a valid certificate that matches the server hostname if not yet bound. It can also replace the binding of an old certificate with a new one if your certificate is either expired or about to expire within the next 60 days.

    NOTE: You will need to "RunAs" administrator in PowerShell in order to be able to bind the certificates.

    ###SCRIPT BEGINS HERE###

    ########################################

    ## SSL Cert Update for Citrix Broker Service ##

    ## By: Ray Kareer 2019-01-23 ##

    ########################################

    Write-Host "This script should be run on the delivery controller to bind your imported SSL Certificate to the Citrix Broker Service"

    Write-Host "Please make sure that you've imported a valid server SSL certificate on your Controller/Broker server.

    Write-Host "You should only have two certificates in your personal store.  The new one and the one you want to replace (due to expire)"

    Write-Host "If there is already a bound SSL certificate, it must be expiring within the next 60 days or expired for this to work"

    ""

    netsh http show sslcert

    ""

    $continue = Read-Host "Would you like to Continue? Y/N"

    ""

    If ($continue -eq "y" -or $continue -eq "Y") {

    ""

    Write-Host "Getting the AppID for the Citrix Broker Service"

    Write-Host "--------------------------------------------------"

    $appID = Get-ChildItem HKLM:\software\Classes\Installer\Products | Get-ItemProperty | where {$_.ProductName -match "Citrix Broker Service"} | foreach {$_.PSPath.ToString().Split("\")[6]}

    if ($appID) {

    $appID = $appID.Insert(20,"-")

    $appID = $appID.Insert(16,"-")

    $appID = $appID.Insert(12,"-")

    $appID = $appID.Insert(8,"-")

    $appID = "{$appID}"

    } else {Write-Host "Error: Unable to find Citrix Broker Service"

    break

    }

    Write-Host "Citrix Broker Service AppID = $appID"

    ""

    Write-Host "Getting the current SSL Cert expiring withing the next 60 days"

    $expiringCert = ls Cert:\LocalMachine\My -ExpiringInDays 60

    If (-not $expiringCert) {

    Write-Host "Unable to find an expiring certificate within the next 60 days"

    Write-Host "Looking for expired certificate"

    $expiredCert = ls Cert:\LocalMachine\My -ExpiringInDays 0

    If ($expiredCert) {

    ""

    Write-Host ">>> YOUR CERTIFICATE HAS ALREADY EXPIRED !!! <<<"

    $expiringCert = $expiredCert

    $expiredCert

    } else {""

    Write-Host ">>> No server certificates expiring in the next 60 days found! <<<"}

    }

    ""

    Write-Host "Finding a valid Server SSL Cert that is not currently bound to the Citrix Broker Service"

    $computername = $env:computername

    $certs = ls Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -notmatch $expiringCert.Thumbprint -and $_.Subject -match $computername}

    if (-not $certs) {

    $certs = ls Cert:\LocalMachine\My | Where-Object {$_.Subject -match $computername}

    }

    $myCert = $certs | Select-Object -ExpandProperty Thumbprint | foreach {$_}

    If ($certs) {

    Write-Host "Found a valid Server SSL CertHash: $myCert"

    $bind = Read-Host "Would you like to Bind the certificate to the Citrix Broker Service? Y/N"

    If ($bind -eq "y") {

    Write-Host "Binding new cert hash to the Citrix Broker Service"

    Remove-NetIPHttpsCertBinding

    Add-NetIPHttpsCertBinding -IpPort "0.0.0.0:443" -CertificateHash $myCert -CertificateStoreName "My" -ApplicationId $appID -NullEncryption $false

    netsh http show sslcert

    }else {Write-Host "Cancelled binding!" }

    }else {Write-Host "Could not find a new valid certificate"}

    }

    pause

    ###SCRIPT ENDS HERE###​

    Please let me know if you have any issues or if there are any corrections.


    User Feedback

    Recommended Comments

    Guest StoreFront Basic Configuration – Carl Stalhood

    Posted

    […] XML traffic between StoreFront and Delivery Controller 7.x. Or use Ray Kareer’s script at Binding your SSL Server Certificate to the Citrix Broker Service at […]
    Link to comment
    Share on other sites

    Guest Delivery Controller 2206 and Licensing – Carl Stalhood

    Posted

    […] Controller, then we need to build a command line to bind the certificate to Citrix Broker Service. Binding Your SSL Server Certificate to the Citrix Broker Service by Ray Kareer at CUGC has a script to automate this […]
    Link to comment
    Share on other sites

    Guest Delivery Controller 2203 LTSR CU1 and Licensing – Carl Stalhood

    Posted

    […] Controller, then we need to build a command line to bind the certificate to Citrix Broker Service. Binding Your SSL Server Certificate to the Citrix Broker Service by Ray Kareer at CUGC has a script to automate this […]
    Link to comment
    Share on other sites

    Guest Delivery Controller 1912 LTSR CU5 and Licensing – Carl Stalhood

    Posted

    […] Controller, then we need to build a command line to bind the certificate to Citrix Broker Service. Binding Your SSL Server Certificate to the Citrix Broker Service by Ray Kareer at CUGC has a script to automate this […]
    Link to comment
    Share on other sites



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...