Citrix XenApp/XenDesktop 7.9 Configure SSL/TLS on the Delivery Controller

By default XenApp and XenDesktop Delivery Controllers uses http for communication, which is not very secure. This article goes through the steps to encrypt traffic sent to the Delivery Controller using SSL/TLS on port 443.

First the Delivery Controller needs to be issued a trusted an SSL certificate, so open the MMC console.

Click on File > Add/Remove Snap-in...

Select Certificates from the list and click Add.

Select Computer account because the computer needs to be able to access the SSL certificate rather than a user or service. Click Next.

Leave Local computer selected and click Finish.

Expand Certificates and select Personal, if you do not have any SSL certificates already it will be empty.

Right click on Personal and click on All Tasks > Request New Certificate...

Click Next.

Active Directory Enrollment Policy should be selected and click Next.

Select Computer from the list and click Enroll.

Click Finish.

The SSL certificate should appear in the list under Certificates > Personal > Certificates.

Next step is to retrieve the GUID identifier for the Citrix Broker Services and this can be found in the registry. Open Regedit.

Navigate the registry and find HKEY_CLASSES_ROOT\Installer\Products.

Expand Products registry key and under there is the Citrix Broker Service registry key. Copy the contents of the registry key name because this is it's GUID identifier.

Open Notepad and enter add sslcert ipport=0.0.0.0:443 certhash= appid={} and paste the GUID inbetween the braces.

Format the GUID identifier so it looks more like this, {11111111-2222-3333-4444-555555555555}, with dashes between the blocks of characters.

Go back into Regedit and locate the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\MY\Certificates. Copy the registry key name, which is the certificate hash value and go back to Notepad.

If multiple certificates appear under this registry key and you are unsure, which one you want, open up the Certificates MMC Snap-in, go to Personal > Certificates, double click the certificate, click on Details tab, scroll down until you find Thumbprint and select it. The certificate hash will appear in the box below the certificate details.

Paste the certificate hash value straight after certhash= and copy the entire command to the clipboard.

Open up a Command Prompt with elevated privleges, run netsh, go into the http context by typing http and pressing Enter and paste the command from Notepad into the Command Prompt. It should say SSL Certificate successfully added and you can type exit to get out of netsh.