How to configure SSL in Citrix StoreFront 3.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
StoreFront optimal configuration is to use HTTPS to secure the communication between the clients and the Storefront infrastructure. In this lab we will see how to install an internal trusted certificate on our StoreFront servers. Storefront websites accessed by external clients should have certificates trusted by external Certificate Authorities (CA) like Verisign, GODaddy, etc.
StoreFront SSL
Requirements
- StoreFront website must be up and running in http
- Joined to the domain
- Certificate Authority configured and Root CA certificate must be trusted on all servers and clients
- Web enrollment must be available
Lab Configuration
- Two servers with StoreFront installed (SF01/SF02).
- SF02 is the primary StoreFront server
- SF01 is the secondary StoreFront
- DNS Record: storefront.citrixguru.lab pointing to SF02.
- No load balancing at this time
- Certificate Authority: citrixguru-CA (Standalone)
- Procedure: https://mizitechinfo.wordpress.com/2013/08/29/step-by-step-deploying-a-standalone-root-ca-in-server-2012-r2-part-1
- Installed on a dedicated server
- Root CA is deployed by GPO on all servers and clients
- Certificate Issuing : citrixguru-IssuingCA (Entreprise Subordinate)
- Procedure: https://mizitechinfo.wordpress.com/2013/08/31/step-by-step-deploying-an-enterprise-subordinate-ca-in-server-2012-r2-part-2
- Installed on the domain controller (DC.citrixguru.lab)
- Web Enrollment is installed: https://dc.citrixguru.lab/certServ.
StoreFront SSL Configuration
There is multiple methods available to generate certificate (via IIS domain certificate creation, IIS domain certificate request, Certificate web enrollment, etc).
In this lab, we will create the certificate using the Certificate Web Enrollment website.
Create template
The default Web Server template does not let you export the Certificate Private key which is needed for this lab.
Original procedure on Technet.
Connect to the Enterprise issuing CA (DC.citrixguru.lab) and open the Certification Authority console. Expand the certification authority so that you can see Certificate Templates.
Right-click Certificate Templates and then click Manage. If you don’t see these options, then run the following command: certtmpl.msc to open the Certificate Templates console.
In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. If you are prompted to select a template version, select 2003 and then click OK.
In the General tab, under Template display name, type Certificate SSL.

On the Security tab you must ensure that the user account or group that you want to use for enrollment is selected and then select the Allow checkbox that corresponds to the Enroll permission.

Click Add.
Click Object Types, select Computers, and then click OK.
Enter the name of the computer hosting the CA Web Enrollment pages. Click Check Names, and then click OK.
Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK.

On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox. (Observation: for the certificate to appear in th Certificate Web Enrollment, it will be necessary to click and choose Supply in the request, instead of Build from this Active Directory information)

On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.
On Request Handling, check Allow private key to be exported.

Close the Certificate Templates console and return to the Certificate Authority consoleIn the console tree of the Certification Authority console, right-click Certificate Templates, clickNew, and then click Certificate Template to Issue.

In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click OK.

Certificate SSL is now available on the web enrollment.

Generate Certificate
Navigate to the Certificate Web Enrollment website available in your domain. In our lab the website is available at the following address:
https://dc.citrixguru.lab/certServ
Select Request a certificate.

Select Create and Submit a request to this CA.

Select Advanced certificate request.

Select SSL Certificate template previously create, and fill the form.

CSP: Microsoft RSA Provider
Key Size: 2048
Mark keys as exportable.
Select SH1 and storefront.citrixguru.lab as Friendly Name.

Select Submit and then Install the certificate.

The next step is to export the certificate.
Export Certificate
On the computer used to generate the certificate, open mmc.exe and add the Certificates snap-in for the local user account.
Navigate to Personal, and select the storefront certificate.

Select Details.

Select copy to file.

Select Yes, export the private key.


Enter a password to protect the private key.

Save the file on the DC: \\DC\C$\Storefront.pfx.

You can remove the certificate in the mmc console on the client.
Import Certificate to StoreFront servers
Connect to one of the StoreFront servers, open mmc.exe and add the Certificates snap-in for the computer account.
Navigate to Personal, right click and select All Tasks and Import.
Select the certificate previously exported: storefront.pfx

Enter the password for the private key.

Place the certificate in the Personal store.


The certificate is now available on the StoreFront server in the Personal store.

Ensure that the certificate is trusted and that the private key is here.

Repeat the operation on all StoreFront servers part of the StoreFront deployment.
Bind SSL certificate in IIS
Open Internet Information Services (IIS) Manager.

Right click on the default website and select Site Bindings.
Add 443 and select the certificate previously imported.

Remove the previous Port 80 binding to only have one binding in the configuration.

Repeat the operation on all StoreFront servers part of the StoreFront deployment.
Reconfigure StoreFront
Connect to the primary StoreFront server, open Citrix StoreFront console and select Server Group.
Then select Change base URL. The name must be the same as the friendly name on the certificate.

Now we need to propagate this change to all servers. Select propagate changes on the right.

Open StoreFront in HTTPS
Navigate to https://storefront.citrixguru.lab/Citrix/CitrixGuruStoreWeb.
No warning message should be displayed.

StoreFront is now configured to use SSL. In the next post, we will configure StoreFront load balancing using the internal NetScaler cluster we created in Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale).
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
when you propogate the changes to the other servers in the server group does that re-configure IIS on the other servers and import the SSL certificate or do you need to import the SSL Cert on each SF server in the Server group