It is still not very easy for a new comer or a Citrix administator to complete this task when it is requested by architect / engineers… Most of the time everyone will end up with this CTX article : and I still don’t understand why no one made a simple GUI to make this more easy to configure…

The script you’ll find bellow automate the following :

  1. Fetching the Certificate Hash Number (Thumbprint) and formatting it
  2. Fetching the Citrix Broker Service GUID and formatting it
  3. Fetching the IP address of the Delivery Controller, adding SSL port to it (:443)
  4. Run the netsh command to map the certificate to the Citrix Broker Service
  5. Show the certificate binding to make sure everything is ok.

Before beginning you need a certificate in PFX format, most likely your certificate will be for the delivery controller and will be like DeliveryControllerName.fqdn . The script is targeting a certificate that contains the hostname in the subject. You can be more specific and give the full details of the certificate subject to target the right certificate if you have several certificates installed already.

# This script can be executed when the machine certificate have been installed.
# The certificate thumbprint will be find idf the hostname is in the subject. This need to be change if your certificate binding is for a DNS alias for ex.
# 14 dec 2017 - STH
# Fetching registry key to get the Citrix Broker Service GUID
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$CBS_Guid = Get-ChildItem HKCR:\Installer\Products -Recurse -Ea 0 | Where-Object { $key = $_; $_.GetValueNames() | ForEach-Object { $key.GetValue($_) } | Where-Object { $_ -like '*Citrix Broker Service*' } } | Select-Object Name
$CBS_Guid.Name -match "[A-Z0-9]*$"
$GUID = $Matches[0]
# Formating the string to look like a GUID with dash ( - )
Write-Host -Object "Citrix Broker Service GUID for $HostName is: $GUIDf" -foregroundcolor "yellow";
# Closing PSDrive
Remove-PSDrive -Name HKCR
# Getting local IP address and adding :443 port
$ipV4 = Test-Connection -ComputerName (hostname) -Count 1  | Select -ExpandProperty IPV4Address 
$ipV4ssl = "$ipV4 :443" -replace " ", ""
Write-Host -Object "The IP Address for $HostName is: $ipV4ssl" -foregroundcolor "green";
# Getting the certificate thumbprint
# certificate is chosen when hostname is found in the subject, you can change {$_.Subject -match "$HostName"} to help to match the right certificate
$HostName = $env:computername
$Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "$HostName"}).Thumbprint -join ';';
Write-Host -Object "Certificate Thumbprint for $HostName is: $Thumbprint" -foregroundcolor "magenta"; 
# Preparing to execute the netsh command inside powershell
$SSLxml = "http add sslcert ipport=$ipV4ssl certhash=$Thumbprint appid={$GUIDf}"
$SSLxml | netsh
# Verifying the certificate binding on the Citrix XML
netsh http show sslcert

Next step will be to build a GUI based on this script, I have to find time (and skills) to do so 🙂

Thank you to Eric Laugier for some tip during my research

3 318

  • Pavan Ayyagari

    Hi There Stephane.
    Many thanks for the article. is this for binding SSL Certificate to Citrix Broker Service?
    I mean for enabling https while configuring storefront for delivery controllers etc?