Product documentation
Citrix Virtual Apps and Desktops
Service Current Release 2407 2402 LTSR 2311 2308 2305 2303 2212 2209 2206 2203 LTSR 1912 LTSR
View PDF

Manage certificates

March 21, 2025
Contributed by: 
C

TLS uses certificates to establish trust between two parties. You must install a suitable certificate on each server providing a service, and ensure that machines connecting to that server trust that certificate. There are the following options for signing certificates:

  • Self-signed certificates. These are not recommended. These are difficult to manage as you must manually copy this certificate to any other machine that must trust that certificate.
  • Enterprise certification authority. If you have existing PKI in place, then this is normally the simplest option signing certificate for use between internal devices.
  • Public certification authority. This requires that you prove ownership of the domain to the certificate authority. It has the advantage that unmanaged client devices are normally pre-configured to trust certificates from major public certification authorities.

Create a new certificate

Follow your organization’s policies and procedures for creating certificates.

Create certificate using Microsoft Certificate Authority

If the Microsoft Certificate Authority is integrated into an Active Directory domain or into the trusted forest the Delivery Controllers are joined to, you can acquire a certificate from the Certificates MMC snap-in Certificate Enrollment wizard. The Microsoft Certificate Authority needs to have a certificate template published suitable for use by web servers.

The root certificate is automatically deployed to other machine on the domain using group policy. Therefore all other machines on the domain trust certificates created using the Microsoft Certificate Authority. If you have machines not on the domain then you need to export the Root Certification Authority Certificate and import it into those machines.

  1. On the server, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

  2. Expand Personal > Certificates, then use the All Tasks > Request New Certificate context menu command.

    MMC Certificates snap-in

  3. Click Next to begin, and Next to confirm that you are acquiring the certificate from Active Directory enrollment.

  4. Select a suitable template such as Web Server Exportable. If the template has been set up to automatically provide the values for Subject you can click Enroll without providing more details. Otherwise click on More information is required to enroll for this certificate. Click here to configure settings.

    Request certificates dialog

  5. To provide more details for the certificate template, click the Details arrow button and configure the following:

    Subject name: select Common Name and add the FQDN of the server.

    Alternative name: select DNS and add the FQDN of the server.

    Certificate properties

  6. Press OK.

  7. Press Enroll to create the certificate. It is displayed in the list of certificates.

    Screenshot of personal certificates

Create a certificate request using IIS

If IIS is installed on the server then complete the following steps:

  1. Open Internet Information Service (IIS) Manager
  2. Select the server node in the Connections list.
  3. Open Server Certificates. Screenshot indicating where to find "Server Certificates"
  4. From the Actions pane, select Create Certificate Request…. Screenshot of actions menu with "create certificate request" highlighted
  5. Enter the Distinguished name properties. Screenshot of Distinguished name properties screen
  6. On the Cryptographic Service Provider Properties screen, leave the Cryptographic service provider as the default. Select a key size of 2048 or higher. Screenshot of Cryptographic Service Provider Properties screen
  7. Choose a file name and press Finish. Screenshot of File name screen
  8. Upload your CSR to your certificate authority.
  9. Once you have received the certificate, from the Actions pane, select Complete Certificate Request…. Screenshot of actions menu with "Complete Certificate Request" highlighted
  10. Select the certificate, provide a Friendly name and press OK. Screenshot of Complete Certificate Response window

There is no way to set the subject alternative name. Therefore the certificate is limited to the server specified using the common name.

Create a certificate signing request from certificates snap-in

From within the Certificates mmc snap-in you can create a certificate signing request. This generates a file that you can send to a certificate authority who will provide the certificate. You must then import the certificate to combine it with the local private key.

  1. On the server, open the MMC console and add the Certificates snap-in. When prompted select Computer account.

  2. Expand Personal > Certificates
  3. Select All Tasks > Advanced Operations > Create Custom Request.
  4. On Before You Begin, select Next.
  5. On the Select Certificate Enrollment Policy screen, select a suitable existing policy, or Proceed without enrollment policy.
  6. On the Custom request screen, if using an enrolment policy, choose an appropriate template, if available, such as Web Server Exportable.
  7. On the Certificate Information screen, expand Details and select Properties.
  8. In the Certificate Properties window, on the General tab, enter a suitable friendly name.

  9. On the Subject tab:

    1. Under Subject name, select Common name and enter the FQDN of the server. You can enter a wildcard. Select Add.
    2. Under Subject name, add appropriate values for Organization, Organizational Unit, Locality, State, Country.
    3. Under Alternative name, select DNS. Add the server FQDN. You may add multiple server FQDNs or a wildcard FQDN.

  10. On the Extensions tab:

    • Under Key usage add Digital signature and Key encipherment.
    • Under Extended Key Usage (application policies), add Server Authentication and Client Authentication.

  11. On the Private Key tab.

    • Under Select cryptographic Service Provider (CSP) choose a suitable provider.
    • Under Key options, select a suitable key size. For RSA providers, at minimum use a key size of 2048. For greater security you may wish to choose 4096 but this will have a slight impact on performance.
    • Under Key options, select Make private key exportable.
  12. Select OK.
  13. Select Next.
  14. Select Browse and save your request.
  15. Select Finish.
  16. Upload your CSR to your certificate authority.
  17. Once you have received the certificate, import it on the same server so it is linked to the private key.

Create a new self-signed certificate

A self-signed certificate is created during installation of a delivery controller and web studio. You can generate a new self-signed certificate and use it to replace the existing one.

Using IIS manager

If IIS is installed on the server then you can perform the following steps:

  1. Log on to the server as an administrator.

  2. Open the IIS Manager
  3. Open Server Certificates

  4. In the Actions pane, select Create Self-Signed Certificate.

    Server certificates

  5. In Create Self-Signed Certificate, enter a name for the certificate and click OK. The self-signed certificate is then created.

    Create self-signed certificate

Using PowerShell

You can use PowerShell to create a self-signed certificate:

$certSubject = "CN=myddc.example.com" # The FQDN of the server.
$friendlyName = "Self-Signed-3"
$expireYears = 5

## Create new self-signed certificate under LocalMachine\My
$certificate = New-SelfSignedCertificate -Subject $certSubject -CertStoreLocation "Cert:\LocalMachine\My\" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -FriendlyName $friendlyName -NotAfter $([System.DateTime]::Now.AddYears($expireYears))

# Add to trusted root certificates
$rootCertStore = Get-Item "Cert:\LocalMachine\Root\"
$rootCertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$rootCertStore.Add($certificate)

Import existing certificate

You can import an existing certificate into the server using any of the following methods.

Certificate import wizard

  1. Double click the PFX file, or right click the file and select Install PFX. This opens the Certificate Import Wizard.

  2. For Store Location, select Local Machine.

    Screenshot of Certificate import wizard

  3. Enter the password if required.

    Screenshot of Certificate import wizard, private key protection step

  4. Select the Certificate Store. For server certificates, choose Personal. If this is a root certificate or self-signed certificate that you wish to trust from this machine then choose Trusted Root Certification Authorities.

    Screenshot of Certificate import wizard, certificate store step

Use the Manage Computer certificates console

  1. Open the Manage Computer Certificates console and navigate to the appropriate certificate store. For server certificates this is normally. Personal > Certificates. To trust a root or self-signed certificate, choose Trusted Root Certification Authorities > Certificates.

  2. Right click the certificate and select > All Tasks > Import….

    Manage Computer Certificates console

  3. Select Browse… and select the file.

  4. Enter the password if required.

Use PowerShell

To import a certificate, use the PowerShell cmdlet Import-PfxCertificate. For example, to import certificate certificate.pfx with password 123456 into the personal certificate store, run the following command:

Import-PfxCertificate -Password $(ConvertTo-SecureString -String "123456" -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My\ -FilePath .\Desktop\certificate.pfx

To import a trusted root certificate, set the CertStoreLocation to Cert:\LocalMachine\Root\.

Export certificate without private key

To export a certificate so that you can import it into other devices to trust the certificate, you should exclude the private key.

  1. Open the Manage Computer Certificates. Navigate to Personal > Certificates and select the certificate you wish to export.

  2. From the Action menu, select All Tasks then Export.

    Screenshot of certificate management with Export menu

  3. Choose No, do not export the private key, then press Next.

    Export certificate

  4. Select format DER encoded binary X.509 (.CER) (the default) and press Next.

  5. Enter a file name and press Next.

    Screenshot of Certificate Export Wizard, file name

  6. Select Finish.

    Screenshot of Certificate Export Wizard, successful export

Export certificate with private key

To export a certificate so that you can use it on other servers, you must include the private key.

  1. Open the Manage Computer Certificates. Navigate to Personal > Certificates and select the certificate you wish to export.

  2. From he Action menu, select All Tasks then Export.

    Screenshot of certificate management with Export menu

  3. Choose Yes, export the private key, then select Next.

    Export certificate

  4. On the Security tab, enter a password then select Next.

    Screenshot of Certificate Export Wizard, security step

  5. Enter a file name and select Next.

    Screenshot of Certificate Export Wizard, file name

  6. Select Finish.

    Screenshot of Certificate Export Wizard, successful export

Convert certificate to PEM format

By default, Windows exports certificates in PKCS#12 format as a .pfx file in that includes the private key. To use the certificate on a NetScaler Gateway or license server, you must extract the certificate and private keys into separate files in PEM format. You can do this using openssl.

To export the certificate in PEM format run:

openssl pkcs12 -in name.pfx -clcerts -nokeys -out name.cer

It will ask you for the existing password and a new passphrase

To export the key in PEM format run:

openssl pkcs12 -in name.pfx -nocerts -out name.key

Trusting certificates

  • If you use a certificate from a public certificate authority then devices are normally pre-configured with the root certificates.
  • If you use an enterprise certificate authority then you must deploy the root certificate into any devices that must trust that certificate. If using Active Directory Certification Services, the root certificates are also deployed to all machines on the domain using Group Policy. You must manually import the root certificate onto non-domain-joined machines such as your NetScaler gateways, or machines on other domains.
  • If you are using a self signed certificate then this must be manually installed onto any machine that needs to trust the certificate.

To export a self-signed or trusted root certificate from Windows, see export certificate without private key.

For Windows to trust the certificate, you must import the certificate into the Trusted Root Certification Authorities store. If using PowerShell, enter the store Cert:\LocalMachine\Root\.

For NetScaler to trust the certificate, first convert the certificate to PEM format, then Install the root certificate.

Manage certificates
March 21, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-2025 Cloud Software Group, Inc. All rights reserved.