Creating multiyear certificates for use with Citrix

Creating multiyear certificates for use with Citrix

The architecture of a XenDesktop 7.x environment is based upon the use of internal certificates. For internal use, for example for the connection of the StoreFront Server with the Desktop Delivery Controller, one would prefer not be forced to use certificates that need to be changed every year. The standard setting of Microsoft CA for web server certificates is exactly one year. Additionally we will show that a Microsoft CA can be installed using PowerShell.
The Microsoft CA can be attached to every Windows server system via Windows rolls. Certificates can be very easily created with the CA that are valid for one year, for example. In accordance with new requirements almost all data paths in terminal server environments today are being encrypted. Thus even communication with the Citrix STA should occur with encryption. Currently the Microsoft CA offers certificates for two years as standard. It is possible however to create one's own template in order to generate longer multiyear certificates. Here we will describe how to achieve this. First the installation of Microsoft CA with PowerShell. A few settings must absolutely be confirmed. This configuration is good for the creation of a quick certificate. This can also be done in a test environment and thereafter the certificates can be imported into the production environment onto only those servers where they are needed. However no CA should be installed for the entire infrastructure of a company in such a manner. A CA for email encryption requires careful planning. The root certificate of the installation will be replicated automatically in Active Directory. It is thus available after some time on all domain members (server/client). It is recommended to keep the validity period of the root shorter, in the event of critical security problems.

add-WindowsFeature Web-Server -IncludeManagementTools
add-WindowsFeature AD-Certificate
add-windowsFeature RSAT-ADCS
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -HashAlgorithmName SHA256 `
    -ValidityPeriod Years -ValidityPeriodUnits 10 -KeyLength 2048 `
    -CACommonName UranRootCA `
    -DatabaseDirectory c:\CertDB -LogDirectory c:\CertLog  -Confirm:$false

As a result PowerShell provides the following output when the CA was successfully installed:
Certification authority will be installed with the following properties:

CAType:                             EnterpriseRootCA
CACommonName                        UranRootCA
CADistinguishedNameSuffix           DC=uran,DC=local
CADistinguishedName:                CN=UranRootCA,DC=uran,DC=local
IgnoreUnicode:                      False
OverwriteExistingKey:               False
OverwriteExistingCAinDS:            False
ValidityPeriod:                     Years
ValidityPeriodUnits:                10
CryptoProviderName:                 RSA#Microsoft Software Key Storage Provider
HashAlgorithmName:                  SHA256
KeyLength:                          2048
AllowAdministratorInteraction:      False
DatabaseDirectory:                  c:\CertDB
LogDirectory:                       c:\CertLog
OverwriteExistingDatabase:          False

Installation of Web Management

Web Management allows for the convenient generation of certificates via a website in a browser. The necessary PowerShell commands follow:

Add-WindowsFeature ADCS-Enroll-Web-Svc
Add-WindowsFeature ADCS-Web-Enrollment
Add-WindowsFeature ADCS-Enroll-Web-Svc
Success Restart Needed Exit Code      Feature Result                               
------- -------------- ---------      --------------                               
True    No             Success        {Certificate Enrollment Web Service}  
Enrollment Service will be installed with the following properties:
                    CAConfig:                       SURANDC.uran.local\UranRoot-CA
                    AuthenticationType:             Kerberos
                    ApplicationPoolIdentity:        True
                    RenewalOnly:                    False
                    AllowKeyBasedRenewal:           False
                    URL:                            https://surandc.uran.local/UranRoot-
Add-WindowsFeature ADCS-Web-Enrollment
The Certification Authority Web Enrollment role will be installed with the following properties:

CAConfig: SURANDC.uran.local\UranRoot-CA


The CA is now on the server itself and can be found at http://localhost/certsrv/ .

Create Certificae

Creation of a new template for certificates

Start MMC (mmc.exe) and attach the snap-in “Certificate Templates” via “File; Add/Remove Snap-in”. This template establishes the basis for the certificates that can be created with Microsoft CA. Duplicate the template “Web Server” (right mouse click) and rename it, for example “Webserver 10Years”, if you were to create a certificate that should function for 10 years. In the options under “General” one can choose for how long the certificate will be valid. The option “Renewal Period” establishes when the certificate attempts to renew itself with the CA. A renewal period that is too short leads to increased communication requests with the CA. In this case, we want to export the certificate from an external CA (in the test environment). Therefore this period chosen to be as long as possible. A terminal server farm that is internally secured with this certificate must be renewed after 5 years at the latest or receive a new certificate.


The template can be renamed via the “Change Name” function. In this example “Web Server-6y”. Upon a certificate request to a CA a private key is simultaneously generated for the certificate. This is linked with the requesting system and for security reasons cannot normally be exported. For certificates in another environment, for example for securing the communication between server farms, the private key is required. Therefore the possibility for an export must be configured in the template. This is possible in the options under “Request Handling” and “Allow Private Key to Be Exported”.


Inserting the new template into usable model templates

The new template is not immediately available, but rather needs to be allowed in the Certificate Authority MMC. To do so start an MMC and insert the snap-in “Certification Authority”. Under “Certificate Templates” now insert the newly created template via the function “New; Certificate Template to Issue”. VERY IMPORTANT: Some adjustments to the CA are still necessary in order for it to provide certificates for 20 years. By giving the following command is the CA authorized to do so.

certutil -setreg ca\validityperiodunits 20
net stop certsvc
net start certsvc

PowerShell Script to import certificates

It's of course nice when the certificates can be automatically imported with PowerShell. We have been using the automation solution “Uranos” ( for the automatic installation of XenApp 4.5 through XenDesktop 7.x environments for our customers for about 10 years. For this solution we've created the following script to import certificates. This script also automatically inserts the server certificate into the IIS. We use a universal certificate here (*.DOMAIN.LOCAL)


# Project  : "Uran" Unattended Remote Automation
# Author   : Andreas Nick 2015
# Function : Impert CERTIFICATES "CER" from the Store_Trust folder
$TrustFolder = "Z:\packages\Configurations\Certificates\Store_Trust"
$ComputerFolder = "Z:\packages\Configurations\Certificates\Store_Personal"
Function Import-Certificate {
                   SupportsShouldProcess = $True
    Param (
        [parameter(ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias('PSComputername', '__Server', 'IPAddress')]
        [string[]]$Computername = $env:COMPUTERNAME,
        [parameter(Mandatory = $True)]
        [System.Security.Cryptography.X509Certificates.StoreName]$StoreName = 'My',
        [System.Security.Cryptography.X509Certificates.StoreLocation]$StoreLocation = 'LocalMachine'
    Begin {
        $CertificateObject = New-Object  System.Security.Cryptography.X509Certificates.X509Certificate2
    Process {
        ForEach ($Computer in $Computername) {
            Try {
                Write-Verbose  ("Connecting to {0}\{1}" -f "\\$($Computername)\$($StoreName)", $StoreLocation)
                $CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "\\$($Computername)\$($StoreName)", $StoreLocation
                If ($PSCmdlet.ShouldProcess("$($StoreName)\$($StoreLocation)", "Add  $Certificate")) {
            Catch {
                Write-Warning  "$($Computer): $_"
Write-Host "import Store $TrustFolder\"
foreach($Cert in (Get-ChildItem "$TrustFolder\*.cer" )){
    Write-Host "import $Cert"
    Import-Certificate -Certificate $Cert.FullName -StoreName Root -StoreLocation LocalMachine -Verbose
Write-Host "import Personal Wildcard"
certutil -f -importpfx -p "Uranos1234" "$ComputerFolder\UranLocal_Wildcard10y.pfx"
#Bind IIS
$cert = dir Cert:\LocalMachine\My | Where-Object { $_.subject -match 'CN=\*.uran.local' }
$strThumb = $cert.Thumbprint.ToString()
Write-Host "Trumbprint :" $strThumb
Write-Host "Bind on IIS, if installed"
$IIS = Get-service | Where-Object {$ -eq "W3SVC"}
if ($IIS) {
    Import-Module WebAdministration
    Push-Location IIS:\
    cd SslBindings
    New-webBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https -HostHeader $("$ENV:COMPUTERNAME"+'.uran.local').toLower()
    get-item cert:\LocalMachine\MY\$strThumb | new-item!443
    Write-Host "Restart W3SVC"
    restart-Service W3SVC



New App-V Funktions in Citrix XenDesktop 7.11
Shortcut Management with App-V for the Preparation...

Related Posts


Comments 1

Guest - zaicnupagadi on Tuesday, September 22 2020 09:54

Great article, thank you, helped me a lot. I was truggling with installing web enrollment services.

Great article, thank you, helped me a lot. I was truggling with installing web enrollment services.
Already Registered? Login Here
Thursday, March 30 2023

Captcha Image

@nickinformation Tweets

My german Blog:


We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.