Product documentation
Citrix Virtual Apps and Desktops
Current Release Service 2507 LTSR 2411 2407 2402 LTSR 2311 2203 LTSR
View PDF

Enable TLS on Delivery Controllers

December 11, 2025
Contributed by: 
C

To enable TLS on a delivery controller™, you must:

Requesting and installing a certificate

To use TLS, you must install a certificate whose Alternative Name includes the DDC’s FQDN. You must create a suitable certificate. This can be done using a Microsoft Certificate Authority or other internal or external certificate authorities.

Create certificate using Microsoft Certificate Authority

If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard. The Microsoft Certificate Authority needs to have a certificate template published suitable for use by web servers. If you are using a Citrix Gateway or a StoreFront™ server on a different domain then you need to export the Root Certification Authority Certificate and import it into the Citrix Gateway and StoreFront.

  1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

  2. Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.

    MMC Certificates snap-in

  3. Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.

  4. Select a suitable template such as Web Server Exportable. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details.

    Request certificates dialog

  5. To provide more details for the certificate template, click the Details arrow button and configure the following:

    Subject name: select Common Name and add the FQDN of the Delivery Controller.

    Alternative name: select DNS and add the FQDN of the Delivery Controller.

    Certificate properties

  6. Press OK.

  7. Press Enroll to create an install the certificate

Install existing certificate file

If you have an existing certificate as a file then you can install it:

  1. On the Delivery Controller, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

  2. Expand Personal > Certificates, then use the All Tasks > Import context menu command.

  3. Browse for the certificate file.

Configuring SSL/TLS listener port

If the IIS Windows component is installed on the same server, which is installed as part of Web Studio and Director, you can configure TLS using IIS. For more information, see Enable TLS on Web Studio and Director. Otherwise, to configure the certificate using PowerShell:

  1. To check if there is an existing certificate bound, open an command prompt and run netsh http show sslcert:

    netsh http show sslcert
<!--NeedCopy-->

  2. If there is an existing binding then delete it.

    netsh http delete sslcert ipport=0.0.0.0:443
<!--NeedCopy-->

    Replacing 0.0.0.0:443 with a specific IP address and port if there was one specified in the existing binding.

  3. Find the thumbprint of the certificate you installed previously. To view the thumbprint, open Manage computer certificates, browse to the certificate and open it and go to the Details tab.

    Screenshot of certificate properties showing thumbprint

    Alternatively you can use PowerShell. For example the following script looks for a certificate whose common name matches the server’s host name and prints the thumbnail:

    $HostName = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
$Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match ("CN=" + $HostName)}).Thumbprint -join ';'
Write-Host -Object "Certificate Thumbprint for $($HostName): $($Thumbprint)" -Foreground Yellow
<!--NeedCopy-->

    If the certificate common name does not match the host names then this will fail. If there are multiple certificates for the host name then this returns multiple thumbprints concatenated together and you must choose the appropriate thumbprint.

    The following example looks for a certificate by friendly name:

    $friendlyName = "My certificate name"
$Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -eq $friendlyNam}).Thumbprint -join ';'
Write-Host -Object "Certificate Thumbprint for $friendlyName: $($Thumbprint)" -Foreground Yellow
<!--NeedCopy-->

    If there are multiple certificates with the specified friendly name then this returns multiple thumbprints concatenated together and you must choose the appropriate thumbprint.

  4. To bind the certificate to the port, use the netsh http add sslcert command:

    netsh http add sslcert ipport=[IP address]:443 certhash=[certificate hash] appid=[application GUID] disablelegacytls=enable
<!--NeedCopy-->

    • ipport: The IP address and port. Using 0.0.0.0:443 applies this to all IP addresses. You can instead specify a specific IP address.

    • certhash: The thumbprint of the certificate you identified in the previous step.

    • appid: The GUID of the Citrix Broker Service.

      Note:

      When renewing a certificate or rebinding, use the specific appid associated with the Broker Service rather than an arbitrary GUID.

      To find the correct appid for the Citrix Broker Service:

      1. Open a PowerShell command window as an administrator and run the following command:

         Get-WmiObject -Class Win32_Product | Select-String -Pattern "broker"
 <!--NeedCopy-->

      2. Locate the IdentifyingNumber (GUID) for the Citrix Broker Service in the output (for example, {D333C884-187F-447C-8C67-463F33989C8F}). Use this GUID for the appid parameter.

    • disablelegacytls=enable: Disables legacy versions of TLS. This parameter is available on Windows 2022 and higher. Windows 2022 it disables TLS 1.0 and 1.1. On Windows 2025 this is unnecessary as TLS 1.0 and 1.1 are disabled by default.

    For example, run the following command to bind the certificate with thumbprint bc96f958848639fd101a793b87915d5f2829b0b6 to port 443 on all IP addresses:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=bc96f958848639fd101a793b87915d5f2829b0b6 appid={91fe7386-e0c2-471b-a252-1e0a805febac} disablelegacytls=enable
<!--NeedCopy-->

Once HTTPS is enabled, you should configure any StoreFront deployments and Netscaler Gateways to use HTTPS instead of HTTP to connect to the delivery controller.

Configure cipher suites

The cipher suite order list must include the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suites (or both); and these cipher suites must precede any TLS_DHE_ cipher suites.

  1. Using the Microsoft Group Policy Editor, browse to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  2. Edit the policy “SSL Cipher Suite Order”. By default, this policy is set to “Not Configured”. Set this policy to Enabled.
  3. Arrange suites in the correct order; remove any cipher suites suites you do not want to use.

Ensure that either TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, or TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 precedes any TLS_DHE_ cipher suites.

On Microsoft Learn, see also Configuring TLS Cipher Suite Order.

Enforce HTTPS traffic only

It is recommended that you configure the XML Service to ignore HTTP traffic.

  1. Run regedit
  2. Open HKLM\Software\Citrix\DesktopServer\
  3. Create a new DWORD value with name XmlServicesEnableNonSsl and set it to 0.
  4. Restart the Broker Service.

There is a corresponding registry DWORD value XmlServicesEnableSsl you can create to ignore HTTPS traffic. Ensure that it is not set to 0.

Change HTTP or HTTPS ports

By default, the XML Service on the Controller listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. Although you can use non-default ports, be aware of the security risks of exposing a Controller to untrusted networks. Deploying a standalone StoreFront server is preferable to changing the defaults.

To change the default HTTP or HTTPS ports used by the Controller, run the following command from Studio:

BrokerService.exe -StoreFrontPort <http-port> -StoreFrontTlsPort <https-port>

where <http-port> is the port number for HTTP traffic and <https-port> is the port number for HTTPS traffic.

Note:

After changing a port, Studio might display a message about license compatibility and upgrading. To resolve the issue, re-register service instances using the following PowerShell cmdlet sequence:

Get-ConfigRegisteredServiceInstance -ServiceType Broker -Binding XML_HTTPS |
Unregister-ConfigRegisteredServiceInstance
Get-BrokerServiceInstance | where Binding -eq "XML_HTTPS" |
Register-ConfigServiceInstance
<!--NeedCopy-->
Enable TLS on Delivery Controllers
December 11, 2025
Contributed by: 
C
December 11, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.