by Ray Kareer
Citrix has a guide on how to create/bind your SSL Server Certificate to the Citrix Broker Service in order to secure your communication between Storefront and your Delivery Controllers. Setting it up for VirtualApps and VitualDesktops 7.x for the first time can be done by following CTX130213 article for XenDesktop 5.
Here are some of the links I used for this article:
https://support.citrix.com/article/CTX130213
https://docs.microsoft.com/en-us/windows/desktop/Http/add-sslcert
https://docs.microsoft.com/en-us/powershell/module/networktransition/add-netiphttpscertbinding?view=win10-ps
However, once you have this set up, there will be a need to re-bind a renewed SSL server Certificate to the Citrix Broker Service before the certificate is about to expire. So I decided to make a simple PowerShell script that can do the binding for you once you have a new certificate imported on your Delivery Controller’s personal store all ready to go. The following script can be run from the Delivery Controller once the new Certificate is imported into the computer’s Personal store to quickly bind it to the Citrix Broker Service on port 443 applying to all the local IPv4 addresses of the server. It can bind a valid certificate that matches the server hostname if not yet bound. It can also replace the binding of an old certificate with a new one if your certificate is either expired or about to expire within the next 60 days.
NOTE: You will need to “RunAs” administrator in PowerShell in order to be able to bind the certificates.
###SCRIPT BEGINS HERE###
########################################
## SSL Cert Update for Citrix Broker Service ##
## By: Ray Kareer 2019-01-23 ##
########################################
Write-Host “This script should be run on the delivery controller to bind your imported SSL Certificate to the Citrix Broker Service”
Write-Host “Please make sure that you’ve imported a valid server SSL certificate on your Controller/Broker server.
Write-Host “You should only have two certificates in your personal store. The new one and the one you want to replace (due to expire)”
Write-Host “If there is already a bound SSL certificate, it must be expiring within the next 60 days or expired for this to work”
“”
netsh http show sslcert
“”
$continue = Read-Host “Would you like to Continue? Y/N”
“”
If ($continue -eq “y” -or $continue -eq “Y”) {
“”
Write-Host “Getting the AppID for the Citrix Broker Service”
Write-Host “————————————————–“
$appID = Get-ChildItem HKLM:\software\Classes\Installer\Products | Get-ItemProperty | where {$_.ProductName -match “Citrix Broker Service”} | foreach {$_.PSPath.ToString().Split(“\”)[6]}
if ($appID) {
$appID = $appID.Insert(20,”-“)
$appID = $appID.Insert(16,”-“)
$appID = $appID.Insert(12,”-“)
$appID = $appID.Insert(8,”-“)
$appID = “{$appID}”
} else {Write-Host “Error: Unable to find Citrix Broker Service”
break
}
Write-Host “Citrix Broker Service AppID = $appID”
“”
Write-Host “Getting the current SSL Cert expiring withing the next 60 days”
$expiringCert = ls Cert:\LocalMachine\My -ExpiringInDays 60
If (-not $expiringCert) {
Write-Host “Unable to find an expiring certificate within the next 60 days”
Write-Host “Looking for expired certificate”
$expiredCert = ls Cert:\LocalMachine\My -ExpiringInDays 0
If ($expiredCert) {
“”
Write-Host “>>> YOUR CERTIFICATE HAS ALREADY EXPIRED !!! <<<“
$expiringCert = $expiredCert
$expiredCert
} else {“”
Write-Host “>>> No server certificates expiring in the next 60 days found! <<<“}
}
“”
Write-Host “Finding a valid Server SSL Cert that is not currently bound to the Citrix Broker Service”
$computername = $env:computername
$certs = ls Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -notmatch $expiringCert.Thumbprint -and $_.Subject -match $computername}
if (-not $certs) {
$certs = ls Cert:\LocalMachine\My | Where-Object {$_.Subject -match $computername}
}
$myCert = $certs | Select-Object -ExpandProperty Thumbprint | foreach {$_}
If ($certs) {
Write-Host “Found a valid Server SSL CertHash: $myCert”
$bind = Read-Host “Would you like to Bind the certificate to the Citrix Broker Service? Y/N”
If ($bind -eq “y”) {
Write-Host “Binding new cert hash to the Citrix Broker Service”
Remove-NetIPHttpsCertBinding
Add-NetIPHttpsCertBinding -IpPort “0.0.0.0:443” -CertificateHash $myCert -CertificateStoreName “My” -ApplicationId $appID -NullEncryption $false
netsh http show sslcert
}else {Write-Host “Cancelled binding!” }
}else {Write-Host “Could not find a new valid certificate”}
}
pause
###SCRIPT ENDS HERE###
Please let me know if you have any issues or if there are any corrections.