Replace SSL certificates on Citrix Storefront and Delivery Controller

The Storefront console will display a warning when the certificate is about to expire:
warning

From the Storefront or Delivery Controller server.

  • Request new certificate (either from internal or public Certification Authority) via MMC snapin Certificates -> Computer Store.
  • Open IIS Manager.
  • Expand server name and sites.
  • Right click the site where Citrix for web is published (probably Default Site if you are not sure).
  • Click “Edit Bindings…”
  • Highlight https binding, and click “Edit”.
  • Replace current certificate with the newly requested certificate (compare thumbprints if the names are identical).
  • Export the old certificate from MMC (with private key if possible) and remove it from computer store.
  • Open command prompt as administrator, and run “iisreset -noforce”, or simply restart the “World Wide Web Publishing Service” from Services.msc.
  • Note that the site / service will be unavailable during the service restart.

Check the certificate being used when you browse the Storefront URL after the swap to make sure the new certificate is active (click the padlock in the browser address bar). You should also make sure the Storefront console no longer shows a warning about the expiring certificate.

Check the certificate being used on the Delivery Controller with netsh:

  • Run command prompt as administrator.
  • Type “netsh http show ssl”, and note the “Certificate Hash” presented on binding 0.0.0.0:443
  • Compare Certificate Hash with Thumbprint of new certificate. If they do not match, the certificate is not replaced. I would then suggest a reboot of the Delivery Controller

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.