From a security perspective, enabling SSL to secure XML and STA traffic from “Storefront servers or Netscalers” to “On-Prem Delivery Controllers or On-Prem Cloud connectors” is a task that should be taking in consideration by everyone working with securing a Citrix infrastructure. In this case we are going to focus on how to enable SSL on Citrix Cloud Connectors.
I suppose you already have a certificate (PFX format) in place (wildcard or a SAN certificate that includes all FQDN:s of your Citrix Cloud Connectors).
It is important to make sure that the certificate’s intended purposes are (Server Authentication and Client Authentication)
Start by installing the certificate on all your Citrix Cloud Connectors. When that is done and everything looks alright we will use a built-in utility called “netsh” allows us bind an SSL certificate to a specific port on the windows-based Could Connectors.
Attention: Before proceeding make sure IPv6 is disabled if you are specifying IPv4 as an adress
Start the command prompt as administrator and run the following command:
C:\>netsh> http add sslcert ipport=<IP address>:<Port Number> certhash= <Certificate Hash Number> appid={<Citrix Broker Service GUID>}”
where:
1. IP address is 0.0.0.0
2. Certificate Hash Number isthe certificate hash number which can be located in two different locations:
2.1 Location one is the registry key located on each Cloud Connector server under “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \SystemCertificates\MY\Certificates”
2.2 Location two is the cetificate’s Thumbprint
3. Citrix Broker Service GUID is located in the registry as well and can be foud here by searching for “Citrix Broker Service” under the following key “HKEY_CLASSES_ROOT\Installer\Products”
What’s important here is to notice that the GUID in the registry is presented without dashes. This need to be converted to the following format 8-4-4-4-12
In my case I’ll end up with the following: A4860720-78B0-B814-988E-B2A642CDE232
Now run the following command to enable SSL on each cloud connector:
netsh http add sslcert ipport=0.0.0.0:443 certhash=70BF8F2FD09947CD27B23BA3AA619DC4BEDC1413 appid={A4860720-78B0-B814-988E-B2A642CDE232}