Binding your SSL Server Certificate to the Citrix Broker Service

By Ray Kareer posted 10 days ago

  
Citrix has a guide on how to create/bind your SSL Server Certificate to the Citrix Broker Service in order to secure your communication between Storefront and your Delivery Controllers. Setting it up for the fist time can be done by following CTX130213 for XenDesktop 5 since Citrix's article for XenDesktop/XenApp 7.x (CTX130213) is not so useful.

Here are some of the links I used for this article:

https://support.citrix.com/article/CTX200415
https://support.citrix.com/article/CTX130213
https://docs.microsoft.com/en-us/windows/desktop/Http/add-sslcert

However, once you have this set up, there will be a need to re-bind a renewed SSL server Certificate to the Citrix Broker Service before the certificate is about to expire. So I decided to make a simple PowerShell script that can do the binding for you once you have a new certificate imported on your Delivery Controller's personal store all ready to go. The following script can be run from the Delivery Controller once the new Certificate is imported into the computer's Personal store to quickly bind it to the Citrix Broker Service on port 443 applying to all the local IPv4 addresses of the server. It can bind a valid certificate that matches the server hostname if not yet bound. It can also replace the binding of an old certificate with a new one if your certificate is either expired or about to expire within the next 60 days.

NOTE: You will need to "RunAs" administrator in PowerShell in order to be able to bind the certificates.

###SCRIPT BEGINS HERE###

########################################
## SSL Cert Update for Citrix Broker Service ##
## By: Ray Kareer 2019-01-23 ##
########################################

Write-Host "This script should be run on the delivery controller to bind your imported SSL Certificate to the Citrix Broker Service"
Write-Host "If there is already a bound SSL certificate, it must be expiring within the next 60 days or expired for this to work"
""
netsh http show sslcert
""
$continue = Read-Host "Would you like to Continue? Y/N"
""

If ($continue -eq "y" -or $continue -eq "Y") {
""
Write-Host "Getting the AppID for the Citrix Broker Service"

Write-Host "--------------------------------------------------"
$appID = Get-ChildItem HKLM:\software\Classes\Installer\Products | Get-ItemProperty | where {$_.ProductName -match "Citrix Broker Service"} | foreach {$_.PSPath.ToString().Split("\")[6]}
if ($appID) {
$appID = $appID.Insert(20,"-")
$appID = $appID.Insert(16,"-")
$appID = $appID.Insert(12,"-")
$appID = $appID.Insert(8,"-")
$appID = "{$appID}"
} else {Write-Host "Error: Unable to find Citrix Broker Service"

break
}

Write-Host "Citrix Broker Service AppID = $appID"

""
Write-Host "Getting the current SSL Cert expiring withing the next 60 days"

$expiringCert = ls Cert:\LocalMachine\My -ExpiringInDays 60

If (-not $expiringCert) {
Write-Host "Unable to find an expiring certificate within the next 60 days"
Write-Host "Looking for expired certificate"
$expiredCert = ls Cert:\LocalMachine\My -ExpiringInDays 0
If ($expiredCert) {
""
Write-Host ">>> YOUR CERTIFICATE HAS ALREADY EXPIRED !!! <<<"
$expiringCert = $expiredCert
$expiredCert
} else {""
Write-Host ">>> No server certificates expiring in the next 60 days found! <<<"}


}

""
Write-Host "Finding a valid Server SSL Cert that is not currently bound to the Citrix Broker Service"
$computername = $env:computername

$certs = ls Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -notmatch $expiringCert.Thumbprint -and $_.Subject -match $computername}
if (-not $certs) {
$certs = ls Cert:\LocalMachine\My | Where-Object {$_.Subject -match $computername}
}

$myCert = $certs | Select-Object -ExpandProperty Thumbprint | foreach {$_}

If ($certs) {
Write-Host "Found a valid Server SSL CertHash: $myCert"
$bind = Read-Host "Would you like to Bind the certificate to the Citrix Broker Service? Y/N"
If ($bind -eq "y") {
Write-Host "Binding new cert hash to the Citrix Broker Service"
Remove-NetIPHttpsCertBinding
Add-NetIPHttpsCertBinding -IpPort "0.0.0.0:443" -CertificateHash $myCert -CertificateStoreName "My" -ApplicationId $appID -NullEncryption $false
netsh http show sslcert
}else {Write-Host "Cancelled binding!" }

}else {Write-Host "Could not find a new valid certificate"}


}
pause
###SCRIPT ENDS HERE###



Please let me know if you have any issues or if there are any corrections.
#Security
#PowerShell
#CitrixBrokerService