This article describes how to create and configure server certificates for SSL Relay.
SSL Relay can be used to secure communication between Web Interface and the XenApp XML server, as well as secure communications from the ICA Client to the server. Regardless of the scenario being used, unique server certificates must be created for each server using SSL Relay.
This article uses an internal domain Certificate Authority to create a certificate template and sign the requests from the XenApp servers.
Note: It is assumed you have a Certificate Authority in place.

Instructions

Creating the certificate template

1. To create a new certificate template, open the Certificate Authority Snap-in from Administrative Tools. Right-click and click Manage.
   

2. Right-click Web Server and click Duplicate Template.
   

3. A dialog box opens prompting for a 2003 or 2008 Enterprise. For this template, select Windows Server 2003 Enterprise for a version 2 template that will be accessible using the Web Enrollment used later in this article.
   

4. Name the new certificate template and extend the validity, if desired. In this case, the template is named SSL Relay and the validity is changed to 5 years.
   

5. Click the Request Handling tab and select the Allow private key to be exported option.
   

6. On the Security tab, ensure domain admins or the account you plan to use for enrollment have rights for enrollment.
   Click OK to close the dialog box and close the manage certificates window. For this template to be available, right-click Certificate Templates and select New > Certificate Template to Issue.
   

7. Select SSL Relay from the list.

Requesting the certificate from the XenApp server

1. Open Inter​net Explorer from the XenApp server and browse to the Certificate Authority using HTTPS. HTTPS is required for the certificate request.
   https://mycertserver.domain.com/certsrv

   1. Select Request a certificate.
      

   2. Select advanced certificate request.

      

   3. Select Create and submit a request to this CA.
      

   4. Select SSL Relay from the template drop-down and enter the details in the form. The name must be the Fully Qualified Domain Name (FQDN) of the XenApp server.
      

   5. Select Mark key as exportable option and give the certificate a Friendly Name then click Submit.

2. Confirm the dialog to accept this operation and then select Install this Certificate. The certificate is saved to the current user personal certificate store, but must be saved to the computer personal store. Open the MMC Snap-in on the XenApp server, and enter MMC in the run prompt.

3. From the File menu, select Add/Remote Snap-in. Select Certificates and add both the current user and computer certificate stores.
   

4. From the current user store, expand Personal > Certificates. Right-click the server certificate that was created in the preceding steps and select all tasks > export.

5. From the wizard click Next on the first screen, select Yes, export the private key and click Next. On the export file format screen do not update the defaults, click Next. Create a password for the private key and click Next. Choose a file name and save the certificate at any location on the local file system.

6. After the certificate has been exported, from the Certificates MMC expand the Computer store > Personal > Certificate.
   

7. Right-click Certificates and select All Tasks > Import. Browse to the saved location of the PFX file that was exported in the preceding step and import the certificate (Note: Select All Files from the select window). Enter the password created in Step 5 and select Mark this key as exportable option.
   

8. Click Next until finish.

Configure SSL Relay

1. Open the SSL Relay Configuration tool from the Start menu under Citrix > Administration Tools. Select Enable SSL Relay and ensure the appropriate certificate is selected from the drop-down list.
   

2. From the Connections tab, delete the entry that lists the server IP address. Ensure only the FQDN is remaining.
   

3. Ensure the XML Port is listed correctly. In this case, XML is using port 8080 and 1494 is used for ICA. Click OK and reboot the server. Now the server can be used for SSL Relay.

4. Repeat this process for any server in the farm that requires SSL Relay.