Certificates in Citrix Delivery Controllers

Posted on January 31, 2025 by Murugan B Iyyappan

There are two types of certificates that has to be updated or renewed in Citrix Delivery Controllers

Update the Thumbprint after Server certificate renewal in Citrix Delivery Controller

To secure Broker Service traffic in Delivery Controller we need to install the server certificate. We need to update the thumbprint and bind the new SSL certificate after renewing the certificate in Citrix Delivery Controller. The appid has to be same in all the Citrix Delivery Controllers in the site. Certificates created by the certification authority MUST contain private key (PKCS #12 [*.PFX])

1. Install the certificate in the Personal folder.
2. Check the Thumbprint of new certificate by using below command
dir cert: \localmachine\my
3. Check the application ID using below command
gwmi win32_product | where name -eq “citrix broker service”
4. Check the existing thumbprint using below command and note down the existing certhash and appid
netsh http show ssl
5. From the new certificate, locate thumbprint and make a note of that value which is the certificate hash number. Note: Make all letters in capital and without space.
6. Delete the existing ssl certificate using below command
netsh http delete sslcert ipport=0.0.0.0:443
7. Run the below command with new thumbprint certificate hash number and application ID.
netsh http add sslcert ipport-0.0.0.0:443 certhash-Certificate Hash Number appid='{Citrix Broker Service APPID}’
8.Run the below Command again to verify the new thumbprint
netsh http show ssl

Update Thumbprint in Citrix Delivery Controllers After Certificate Renewal in VCenter

To secure the communication between Delivery Controller and the vCenter, we need to update Thumbprint of the Center SSL Certificate in Citrix Delivery Controller. The SSL Certificate Thumbprint of the vCenter Hypervisor connections are stored in the SQL table
“HostingUnitServiceSchema.HypervisorConnectionSSLThumbprint” with in the Xen Desktop site database.

1. Get the new SSL certificate thumbprint from the vCenter and make all letters to capital letter and without space.

Example: New Certificate Thumbprint
7EBABCECEB3973F72B4307682C62F057C8A3B6

2. Run the command to find the VCenter connection name
Get-Item XDHyp://connections/*

Example: VCenter Connection Name
ctxvcp01-desktops

3. provide the service account credential used to connect the VCenter in the below command
$cred – Get-Credential

4. Run the below command with vCenter connection name, new thumbprint and the VCenter URL to update the new thumbprint.
Set-Item -LiteralPath “XDHyp: \Connections\ctxvcp01-desktops ” -username $cred.username -securepassword $cred.password -sslthumbprint “7EBABBCECEB3973F7284307682C662F057C8A3B6” -hypervisorAddress https://ctxvmwarevc.myxenapp.com

Unknown's avatar

About Murugan B Iyyappan

Working as a Senior Consultant - Citrix solutions architect with 20+ years of experience in the IT industry. Expertise in Citrix products and Cloud VDI platform.
This entry was posted in Citrix and tagged , , , , , , , , , , , . Bookmark the permalink.