StoreFront SSL

How to configure SSL in Citrix StoreFront 3.

Make sure to catch up this series' previous posts first!

 

StoreFront optimal configuration is to use HTTPS to secure the communication between the clients and the Storefront infrastructure. In this lab we will see how to install an internal trusted certificate on our StoreFront servers. Storefront websites accessed by external clients should have certificates trusted by external Certificate Authorities (CA) like Verisign, GODaddy, etc.

StoreFront SSL

Requirements

  • StoreFront website must be up and running in http
  • Joined to the domain
  • Certificate Authority configured and Root CA certificate must be trusted on all servers and clients
  • Web enrollment must be available

Lab Configuration

StoreFront SSL Configuration

There is multiple methods available to generate certificate (via IIS domain certificate creation, IIS domain certificate request, Certificate web enrollment, etc).

In this lab, we will create the certificate using the Certificate Web Enrollment website.

Create template

The default Web Server template does not let you export the Certificate Private key which is needed for this lab.

Original procedure on Technet.

Connect to the Enterprise issuing CA (DC.citrixguru.lab) and open the Certification Authority console. Expand the certification authority so that you can see Certificate Templates.

Right-click Certificate Templates and then click Manage. If you don’t see these options, then run the following command: certtmpl.msc to open the Certificate Templates console.

In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. If you are prompted to select a template version, select 2003 and then click OK.

In the General tab, under Template display name, type Certificate SSL.

New template
New template

On the Security tab you must ensure that the user account or group that you want to use for enrollment is selected and then select the Allow checkbox that corresponds to the Enroll permission.

Users permissions
Users permissions

Click Add.

Click Object Types, select Computers, and then click OK.

Enter the name of the computer hosting the CA Web Enrollment pages. Click Check Names, and then click OK.

Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK.

Computer permissions
Computer permissions

 

On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox. (Observation: for the certificate to appear in th Certificate Web Enrollment, it will be necessary to click and choose Supply in the request, instead of Build from this Active Directory information)

Supply in the request
Supply in the request

On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.

On Request Handling, check Allow private key to be exported.

Private key
Private key

Close the Certificate Templates console and return to the Certificate Authority consoleIn the console tree of the Certification Authority console, right-click Certificate Templates, clickNew, and then click Certificate Template to Issue.

Certificate Template to Issue
Certificate Template to Issue

In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click OK.

Enable Certificate Templates
Enable Certificate Templates

Certificate SSL is now available on the web enrollment.

Web enrollment
Web enrollment

Generate Certificate

 

Navigate to the Certificate Web Enrollment website available in your domain. In our lab the website is available at the following address:

https://dc.citrixguru.lab/certServ 

Select Request a certificate.

Request new certificate
Request new certificate

Select Create and Submit a request to this CA.

Select Create and Submit a request to this CA
Select Create and Submit a request to this CA

Select Advanced certificate request.

Select Advanced certificate request
Select Advanced certificate request

Select SSL Certificate template previously create, and fill the form.

Request
Request

CSP: Microsoft RSA Provider
Key Size: 2048
Mark keys as exportable.

Select SH1 and storefront.citrixguru.lab as Friendly Name.

Friendly Name
Friendly Name

Select Submit and then Install the certificate.

Certificate is installed on your local machine
Certificate is installed on your local machine

The next step is to export the certificate.

Export Certificate

On the computer used to generate the certificate, open mmc.exe and add the Certificates snap-in for the local user account.

Navigate to Personal, and select the storefront certificate.

storefront certificate
storefront certificate

Select Details.

Certificate details
Certificate details

Select copy to file.

Select copy to file.
Select copy to file.

Select Yes, export the private key.

Export Private key
Export Private key
PFX Format
PFX Format

Enter a password to protect the private key.

Password to protect the private key
Password to protect the private key

Save the file on the DC: \\DC\C$\Storefront.pfx.

certificate filename
certificate filename

You can remove the certificate in the mmc console on the client.

Import Certificate to StoreFront servers

Connect to one of the StoreFront servers, open mmc.exe and add the Certificates snap-in for the computer account.

Navigate to Personal, right click and select All Tasks and Import.

Select the certificate previously exported: storefront.pfx

Import Certificate 1
Import Certificate 1

Enter the password for the private key.

Import Certificate 2
Import Certificate 2

Place the certificate in the Personal store.

Import Certificate 3
Import Certificate 3
Import Certificate 4
Import Certificate 4

The certificate is now available on the StoreFront server in the Personal store.

Import Certificate 5
Import Certificate 5

Ensure that the certificate is trusted and that the private key is here.

Validate certificate import
Validate certificate import

Repeat the operation on all StoreFront servers part of the StoreFront deployment.

Bind SSL certificate in IIS

Open Internet Information Services (IIS) Manager.

Bind SSL certificate in IIS
Bind SSL certificate in IIS

Right click on the default website and select Site Bindings.

Add 443 and select the certificate previously imported.

New binding
New binding

Remove the previous Port 80 binding to only have one binding in the configuration.

Remove Http binding
Remove Http binding

Repeat the operation on all StoreFront servers part of the StoreFront deployment.

Reconfigure StoreFront

Connect to the primary StoreFront server, open Citrix StoreFront console and select Server Group.

Then select Change base URL. The name must be the same as the friendly name on the certificate.

Change base URL
Change base URL

Now we need to propagate this change to all servers. Select propagate changes on the right.

StoreFront configured and propagated
StoreFront configured and propagated

Open StoreFront in HTTPS

Navigate to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.

No warning message should be displayed.

Navigate to SSL StoreFront
Navigate to SSL StoreFront

StoreFront is now configured to use SSL. In the next post, we will configure StoreFront load balancing using the internal NetScaler cluster we created in Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale).

Make sure to catch up this series' previous posts first!

 

1 COMMENT

  1. when you propogate the changes to the other servers in the server group does that re-configure IIS on the other servers and import the SSL certificate or do you need to import the SSL Cert on each SF server in the Server group

Comments are closed.