Skip to content
Menu
Know Citrix
  • About me
  • Miscellaneous
    • SSL certificates
Know Citrix

Secure XML Traffic Between Storefront and Delivery Controller (DDC)

Posted on May 6, 2022May 6, 2022
0
(0)

If you’d like to secure xml traffic from storefront to DDC, you should install certificates on the DDC. If you have IIS installed in your DDC server, then mapping the certificate to 443 is very straight forward process. If you do not have IIS installed in your DDC server, then you should install the certificate on the DDC server and run netsh commands to link that certificate to citrix DDC software. Run below commands on powershell console.

dir cert:\localmachine\my 
Get-wmiobject -class win32_product | where name -eq "Citrix Broker Service"
Commands displaying thumbprint of certificate and broker service

Now you need to map the certificate thumbprint to Citrix Broker Service. Run the below command on elevated command prompt or powershell console to do so.

netsh http add sslcert ipport=0.0.0.0:443 certhash=08F8D67404322E03927C4931BFE4AF625945C904 appid={80EF19EA-BC65-4DAA-B241-F6A68C702A94}

Here, in the place of 0.0.0.0, you can also add the ip address of your DDC server. If everything is good, you should see “SSL certificate successfully added” message on your screen.

Where ever you have used DDC url like, SF or NetScaler, change the path to https like, https://ddc1.company.com. Also, open https://ddc1.company.com url in your browser. As the certificate mapping is complete, you should not see any cert errors in your browser. If you have IIS installed, you will see a default page if IIS is installed. If not, you will see a page not found error but no certificate error.

Troubleshooting

When all the above steps are followed, you might end up in “The parameter is incorrect” error as shown below.

If you run the same command again, this time it gives you “SSL certificate add failed. Error 1312” error

In order to resolve this, make sure you have private key along with the certificate, when you install it on DDC server.

  • If you have IIS installed on the DDC server, generate csr from that DDC server itself. So, when you import the certificate given by your CA authority, it will link the private key automatically.
  • If IIS is not installed on your DDC server, generate CSR from another windows machine and import the certificate given by your CA authority on that server. It will link the private key automatically. Export that certificate along with private key as pfx format and import it in your DDC server.

Now run the above netsh command again. If you still endup in parameter incorrect error, run netsh commands as shown below.

Importing pfx certificate:

Use the below commands to import a pfx certificate on server core OS. You cannot import a pfx certificate remotely to a different server.

$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
Import-PfxCertificate -FilePath C:\mypfx.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password

Other ways to try (but they still did not work for me)

netsh http add sslcert ipport=0.0.0.0:443 certhash=08F8D67404322E03927C4931BFE4AF625945C904 appid='{80EF19EA-BC65-4DAA-B241-F6A68C702A94}'
netsh http add sslcert ipport=0.0.0.0:443 appid='{80EF19EA-BC65-4DAA-B241-F6A68C702A94}' certhash=08F8D67404322E03927C4931BFE4AF625945C904

Rate this article

Categories

  • About Home Lab (2)
  • Ansible (1)
  • Architecture – XA and XD (21)
    • Netscaler Architecture (9)
  • AWS (2)
  • Azure (10)
    • Azure Definitions (7)
  • Best Practices (14)
  • Citrix Cloud (6)
    • Workspace Environment Management WEM (1)
  • Citrix Managed Desktops (1)
  • citrix ports (1)
  • Citrix Provisioning (18)
  • Citrix Provisioning Issues (4)
  • Citrix Tools and Scripts (15)
  • Definitions (9)
  • Downloads (1)
  • General Citrix Information (29)
  • Get Started (19)
  • IMP Posts (15)
  • Legacy Citrix Software (1)
  • My TroubleShooting (62)
  • NetScaler (57)
    • GSLB (2)
  • Other Citrix softwares (1)
  • PowerShell (2)
  • Prerequisites (6)
  • Scripts/Automation (7)
  • Tech Articles (13)
  • Terminology (4)
  • Version Differences (5)
  • Why Prerequisites (1)
  • XenApp 5 (38)
  • XenApp 6 (22)
  • XenApp 6.5 (32)
  • XenApp and XenDesktop 7.X (88)
  • XenApp Installation Scripts (3)
  • XenApp Migration (5)
  • XenApp5 Issues (1)
  • XenDesktop 5.X (27)
  • XenDesktop 7.X Issues and troubleshooting (10)
  • XenMobile (1)
  • XenServer 6 (57)

RSS Updates from Citrix Blogs

  • Overcoming observed challenges when adopting a zero trust architecture January 25, 2023
    Zero trust has become a crucial component in the cybersecurity strategy of organizations everywhere. More and more enterprises are finding themselves turning toward zero trust architecture to keep their data, infrastructure, and other assets safe. As a result, this concept … The post Overcoming observed challenges when adopting a zero trust architecture first appeared on […]
    James Schulman
  • Citrix Endpoint Management now supports IdP enrollment for MAM January 20, 2023
    At the start of every year, many people make resolutions to help them reach personal and professional goals. This year, the Citrix Endpoint Management team is focusing on enhancing our agility and regularly providing new features for our customers. We … The post Citrix Endpoint Management now supports IdP enrollment for MAM first appeared on […]
    Chetan Thakker
©2023 Know Citrix | Powered by WordPress and Superb Themes!