Citrix Command Center: Using Active Directory internal Certificate Authority to generate SSL certifcates

The following are detailed steps on how to use IIS and Active Directory Certificate Authority to generate a PKCS#12 certificate for CCCs web console. Other options include using the NetScaler and OpenSSL.

Although, not a prerequisite of CCC, IIS is required to install the certificate. I guess any box running IIS can be used, but I have installed IIS on the actual CCC server.

Generate the Certificate Signing Request (CSR).

1.    On the command center server (WCCC01), launch IIS Manager.
2.    In the central pane, double-click Server Certificates.
3.    In the Actions pane, click Create Certificate Request…
4.    Complete the following and then click Next:

a.    Common name:

b.    Organisation:           Your Organisation

c.    Organisational unit: IT

d.    City/Locality:             Norwich

e.    State/Province:         Norfolk

f.     Country/region:        GB

5.    Select Microsoft RSA SChannel Cryptographic Provider
6.    Select a bit length of 2048 and click Next.
7.    Specify a file name. e.g. C:Masterwccc01.csr and click Finish

Generate the certificate.

8.    RDP to you domain controller with Certificate Services installed.
9.    Launch IE and navigate to https://localhost/certsrv.
10.Click Request a certificate.
11.Click advanced certificate request.
12.Click Submit a certificate request by using a base-64-encoded CMC…
13.Open the saved CSR generated on WCCC01 (\wccc01c$masterwccc01.csr) using notepad.
14.Copy the entire contents of the file to the clipboard (CTRL+A, CTRL+C)
15.Paste the contents of the clipboard in the “Base-64-encoded certificate request” text box.
16.Delete the trailing carriage return. (so the cursor is at the end of the last line, not on a new line).
17.Under “Certificate Template” select Web Server.
18.Click Submit >.
19.Select Base 64 encoded and click Download certificate.
20.Save the certificate file. (\wccc01c$masterwccc01.cer).

Install the certificate on IIS.

21.Return to WCCC01 and in IIS manager on the Actions pane, click Complete Certificate Request.
22.Under the “File name containing the certification authority’s response”, navigate to the certificate file (\wccc01c$masterwccc01.cer).
23.Enter a friendly name. e.g. Citrix Command Center and click OK.

Export the certificate into PKCS#12 format.

24.Click Start àRun and type “mmc” and click OK.
25.Click Fileà Add/Remove Snap-in…
26.Under “Available snap-ins:” select Certificates, click Add and OK.
27.SelectComputer account and click Next.
28.Leave selection as “Local computer” and click Finish.
29.In the “Add or Remove Snap-ins” dialogue, click OK.
30.Expand Certificates (Local Computer) àPersonal à Certificates.
31.In the central pane, right-click and select All Tasks à Export…
32.Click Next.
33.Select “Yes, export the private key” and click Next.
34.Confirm “Personal Information Exchange –PKCS #12 (.PFX)is selected and click Next.
35.Enter a password, confirm it and click Next.
36.Specify a name for the export file. E.g. C:Masterwccc01.pfx and click Next.
37.Click Finish.
38.Click Okto the success message.

Install the certificate into CCC.

39.Log in to the CCC web console. (
40.Click Administration.
41.In the central pane, under Tools, click Install Certificate
42.Browse to the exported certificate (C:Masterlvvsccc01.pfx)
43.Enter the password set in the previous step (35) and click OK.
44.You should receive a “The certificates have been installed successfully” message. Click OK.
45.Restart the server.
46.Test by opening a new IE session and browsing to The certificate warning message should no longer be present.

Citrix Reference:

Please feel free to leave a comment...