Posts All Topics About

Contents

Secure XML Traffic Between Storefront and Delivery Controller (DDC) IMP

Citrix Admin published in XenApp and XenDesktop 7.X IMP Posts My Troubleshooting
   474 words   3 minutes 
Website Visitors:

If you’d like to secure xml traffic from storefront to DDC, you should install certificates on the DDC. If you have IIS installed in your DDC server, then mapping the certificate to 443 is very straight forward process. Open IIS manager (inetmgr), select your server and then select server certificates. Import the certificate along with private key and bind it to 443. If you do not have IIS installed in your DDC server, then you should install the certificate on the DDC server and run netsh commands to link that certificate to citrix DDC software. Run below commands on powershell console.

1
2

dir cert:\localmachine\my 
Get-wmiobject -class win32_product | where name -eq "Citrix Broker Service"

https://www.mediafire.com/convkey/0dd9/kuqz47sj05ccgtq7g.jpg

Commands displaying thumbprint of certificate and broker service

Now you need to map the certificate thumbprint to Citrix Broker Service. Run the below command on elevated command prompt or powershell console to do so.

1

netsh http add sslcert ipport=0.0.0.0:443 certhash=08F8D67404322E03927C4931BFE4AF625945C904 appid={80EF19EA-BC65-4DAA-B241-F6A68C702A94}

Here, in the place of 0.0.0.0, you can also add the ip address of your DDC server. If everything is good, you should see “SSL certificate successfully added” message on your screen.

Where ever you have used DDC url like, SF or NetScaler, change the path to https like, https://ddc1.company.com. Also, open https://ddc1.company.com url in your browser. As the certificate mapping is complete, you should not see any cert errors in your browser. If you have IIS installed, you will see a default page if IIS is installed. If not, you will see a page not found error but no certificate error.

Troubleshooting

When all the above steps are followed, you might end up in “The parameter is incorrect” error as shown below.

https://www.mediafire.com/convkey/8662/cbs2pzyc3qtalxk7g.jpg

If you run the same command again, this time it gives you “SSL certificate add failed. Error 1312” error

https://www.mediafire.com/convkey/3827/2i5ez96mlsy9kkn7g.jpg

In order to resolve this, make sure you have private key along with the certificate, when you install it on DDC server.

  • If you have IIS installed on the DDC server, generate csr from that DDC server itself. So, when you import the certificate given by your CA authority, it will link the private key automatically.
  • If IIS is not installed on your DDC server, generate CSR from another windows machine and import the certificate given by your CA authority on that server. It will link the private key automatically. Export that certificate along with private key as pfx format and import it in your DDC server.

Now run the above netsh command again. If you still endup in parameter incorrect error, run netsh commands as shown below.

https://www.mediafire.com/convkey/9168/b21z3co9rtweqzf7g.jpg

Importing pfx certificate

Use the below commands to import a pfx certificate on server core OS. You cannot import a pfx certificate remotely to a different server.

1
2

$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
Import-PfxCertificate -FilePath C:\mypfx.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password

Want to learn more on Citrix Automations and solutions???

Subscribe to get our latest content by email.

If you like our content, please support us by sponsoring on GitHub below:
Updated on 2022-05-06