Objective
This article describes how to enable SSL on Cloud Connectors to secure XML traffic from the StoreFront server and how to configure your StoreFront site to secure the XML traffic.
Instructions
我们需要开始通过创建和配置installing certificate(s) for the Cloud Connectors. Since by default, there is no IIS installed on the Cloud Connectors, any machine where the IIS is installed can be used.
1. Open IIS console and navigate to Server under the “Connections” pane, and then double-click “Server Certificates”, under the “IIS” section in the central pane:
2.Under the "Server Certificate" console, in the "Action" section, click on “Create Certificate Request":
3. Fill in the information as shown in the "Request Certificate" popup window, while reflecting your company details. For the “Common name” of the certificate, we can use wildcard. This will eliminate the need of creating individual certificate for each Citrix Cloud Connector.Note: Please, follow your company security guidance when deciding if the wildcard cert will be used.
4. Click next and change the “Bit length” to “2048”.
5. Specify the path and the name of the certificate request, and click "Finish":
6.在Windows Explorer中,导航到的位置rom the previously saved certificate request, and open the text file in Notepad:
7. In a browser, preferably on same server where the IIS is used, navigate to the "Certificate Authority Server" (http://yourserver/certsrv), and then click on "Request a certificate":
8. Select “Advanced certificate request” option, and then “Submit a certificate request by using a base 64-encoded CMC or PKCS #10 file”:
9. Copy-paste the information from the Notepad that was opened in step #6. Make sure that at the end, the extra space is removed. In the “Certificate Template” drop-down menu, select “Web Server”, and click Submit:
10. After the certificate request, has been submitted, download page will be presented. Select “Base 64 encoded” and “Download certificate” is used.
11. To compete the certificate, navigate to the IIS and "Server Certificates", and under the “Action” section, click on "Complete Certificate Request":
12. In the new “Complete Certificate Request” popup windows, browse to the downloaded certificate file, give it “Friendly name” that will be recognizable:
13. In the IIS console the certificate name will appear as the Friendly name given in the previous step, and the certificate will be wild card certificate:
14. To export the certificate with the private key, open mmc console and add the “Certificates” snap-in for the local computer:
15. Previously we selected Personal store, and navigating to the store in the mmc we can locate the certificate:
16. To export the certificate and the private key, right click on the certificate and navigate to "All tasks" and "Export". Click Next on the new "Certificate Export" popup windows.On the next screen select "Yes, export the private key", and click next:
17. Click next on the "Export File Format" screen, without changing anything. That will open the Security screen where Password option should be selected, and password should be provided. Please remember this password, since it will be later used on the Citrix Cloud Connectors when importing the certificate. Click Next:
18. Select export location and give name to the certificate pfx file that will be exported. Click Next and Finish, to complete the export:
19. Move the certificate on the Cloud Connector, to import the certificate. Then double-click the certificate, and in the “Certificate Import Wizard”, select Local Machine:
20. Confirm that the "Browse" is showing the correct pfx file, and click Next:
21. On "Private key protection" window of the "Certificate Import Wizard", enter the password from step 17. If there are plans on reusing the certificate, since it is wildcard certificate, make sure that checkbox next to "Mark the key as exportable" is selected. Click next:
22. Select "Place all certificates in the following store" and browsing to the "Personal" store:
23. Click Next twice and Finish to complete the certificate import.
24. To confirm that the certificate has been properly installed, open mmc and add “Certificates” snap-in for local computer:
25. Navigate to the "Personal" store and then "Certificates". The list of certificate should include the newly imported Cloud Connector certificate and the domain root certificate:
26. The root certificate should be also part of the "Trusted root certificates":
27. Next task will consist of registering the SSL certificate for HTTPS on the Cloud Connector. For Windows Server 2008 and onwards, there is a built-in utility called netsh which allows to make SSL certificate bindings to a specific port. For more information, refer to the –Microsoft MSDN article How to: Configure a Port with an SSL Certificate.
28. In elevated Command Prompt, following command will be run:
PS C:\Windows\System32> netsh http add sslcert ipport=: certhash= appid={}
Note:
4. Make sure that Certificate Hash does not have spaces when entered in the netsh command.
5. To obtain the Citrix Broker Service GUID on the Cloud Connector, in the Registry Editor, select Find, and search forCitrix Remote Broker Provider - x64. The search should return an entry in the following registry location HKEY_CLASSES_ROOT\Installer\Products\
It is important to mention that the entry in the registry is presented without the dashes for the GUID. Please make that the dashes are added in the following format:
1. Open IIS console and navigate to Server under the “Connections” pane, and then double-click “Server Certificates”, under the “IIS” section in the central pane:
2.Under the "Server Certificate" console, in the "Action" section, click on “Create Certificate Request":
3. Fill in the information as shown in the "Request Certificate" popup window, while reflecting your company details. For the “Common name” of the certificate, we can use wildcard. This will eliminate the need of creating individual certificate for each Citrix Cloud Connector.Note: Please, follow your company security guidance when deciding if the wildcard cert will be used.
4. Click next and change the “Bit length” to “2048”.
5. Specify the path and the name of the certificate request, and click "Finish":
6.在Windows Explorer中,导航到的位置rom the previously saved certificate request, and open the text file in Notepad:
7. In a browser, preferably on same server where the IIS is used, navigate to the "Certificate Authority Server" (http://yourserver/certsrv), and then click on "Request a certificate":
8. Select “Advanced certificate request” option, and then “Submit a certificate request by using a base 64-encoded CMC or PKCS #10 file”:
9. Copy-paste the information from the Notepad that was opened in step #6. Make sure that at the end, the extra space is removed. In the “Certificate Template” drop-down menu, select “Web Server”, and click Submit:
10. After the certificate request, has been submitted, download page will be presented. Select “Base 64 encoded” and “Download certificate” is used.
11. To compete the certificate, navigate to the IIS and "Server Certificates", and under the “Action” section, click on "Complete Certificate Request":
12. In the new “Complete Certificate Request” popup windows, browse to the downloaded certificate file, give it “Friendly name” that will be recognizable:
13. In the IIS console the certificate name will appear as the Friendly name given in the previous step, and the certificate will be wild card certificate:
14. To export the certificate with the private key, open mmc console and add the “Certificates” snap-in for the local computer:
15. Previously we selected Personal store, and navigating to the store in the mmc we can locate the certificate:
16. To export the certificate and the private key, right click on the certificate and navigate to "All tasks" and "Export". Click Next on the new "Certificate Export" popup windows.On the next screen select "Yes, export the private key", and click next:
17. Click next on the "Export File Format" screen, without changing anything. That will open the Security screen where Password option should be selected, and password should be provided. Please remember this password, since it will be later used on the Citrix Cloud Connectors when importing the certificate. Click Next:
18. Select export location and give name to the certificate pfx file that will be exported. Click Next and Finish, to complete the export:
19. Move the certificate on the Cloud Connector, to import the certificate. Then double-click the certificate, and in the “Certificate Import Wizard”, select Local Machine:
20. Confirm that the "Browse" is showing the correct pfx file, and click Next:
21. On "Private key protection" window of the "Certificate Import Wizard", enter the password from step 17. If there are plans on reusing the certificate, since it is wildcard certificate, make sure that checkbox next to "Mark the key as exportable" is selected. Click next:
22. Select "Place all certificates in the following store" and browsing to the "Personal" store:
23. Click Next twice and Finish to complete the certificate import.
24. To confirm that the certificate has been properly installed, open mmc and add “Certificates” snap-in for local computer:
25. Navigate to the "Personal" store and then "Certificates". The list of certificate should include the newly imported Cloud Connector certificate and the domain root certificate:
26. The root certificate should be also part of the "Trusted root certificates":
27. Next task will consist of registering the SSL certificate for HTTPS on the Cloud Connector. For Windows Server 2008 and onwards, there is a built-in utility called netsh which allows to make SSL certificate bindings to a specific port. For more information, refer to the –Microsoft MSDN article How to: Configure a Port with an SSL Certificate.
28. In elevated Command Prompt, following command will be run:
PS C:\Windows\System32> netsh http add sslcert ipport=
Note:
1.
If IPv4 is specified as an address, but the machine has both an IPv4 and IPv6 address, IPv6 must be disabled. Otherwise, when Storefront performs a lookup it will receive two addresses for the XenDesktop controller and attempt to use the IPv6 address.
2. If there is need Cloud Connector configuration with IPv4 and IPv6 addresses, then 0.0.0.0 can be used as the IP address in the netsh command. This makes the binding for all IP addresses on the Cloud Connector.
3. The Certificate Hash Number can be located in two places:
2. If there is need Cloud Connector configuration with IPv4 and IPv6 addresses, then 0.0.0.0 can be used as the IP address in the netsh command. This makes the binding for all IP addresses on the Cloud Connector.
3. The Certificate Hash Number can be located in two places:
a. One is in the registry of the Cloud Connector. Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates, and find the server certificate which will be used for the binding:
b. Second one, is under the Thumbprint in the Certificate “Details” page. “Details” page can be opened by double-clicking the certificate in the mmc Certificate console;
4. Make sure that Certificate Hash does not have spaces when entered in the netsh command.
5. To obtain the Citrix Broker Service GUID on the Cloud Connector, in the Registry Editor, select Find, and search forCitrix Remote Broker Provider - x64. The search should return an entry in the following registry location HKEY_CLASSES_ROOT\Installer\Products\
It is important to mention that the entry in the registry is presented without the dashes for the GUID. Please make that the dashes are added in the following format:
8-4-4-4-12
33258705EE401E6498BDEC1BDC0B578E – original
33258705-EE40-1E64-98BD-EC1BDC0B578E – with dashes.
6.Using the located Certificate hash and the Citrix Broker Service GUID, the netsh command will look as following, and can be run in elevated Command prompt:
C:\>netsh http add sslcert ipport=10.25.226.162:443 certhash=bc96f958848639fd101a793b87915d5f2829b0b6 appid={33258705-EE40-1E64-98BD-EC1BDC0B578E}
Note:The “Citrix Broker Service GUID” being used to create the SSL binding may change with the Connector upgrades, however, no change is required to the SSL binding. The binding would persist through these changes and SSL would continue to be enabled for the XML traffic.
29. To complete the configuration, in the locally hosted StoreFront, make sure that the communication to the Citrix Cloud Connectors is set to use HTTPS and port 443
- If there are multiple Cloud Connectors used, and the certificate is not wild-card, please repeat all the steps for each Cloud Connector.
- If the wild-card certificate was used, repeat only steps 19 to 29.