This article explains how to generate and install an SSL certificate on a StoreFront server for HTTPS connections. If you have already generated an SSL certificate on one of your StoreFront servers in the StoreFront server group, you can just export the existing SSL certificate and import the certificate on other StoreFront servers. For detailed instructions to export and import an SSL certificate for StoreFront, refert to CTX206492 - How to Export and Install an SSL Certificate for StoreFront to Use HTTPS. 

If the certificate is generated on NetScaler, Please make sure that you convert it to pfx before attempting to install it on StoreFront Server.

---

Instructions

Complete the following steps to generate a certificate signing request (CSR) for Microsoft IIS on a StoreFront server:

Notes: The recommended key bit size is 2048-bit. All certificates that will expire after December 31, 2013 must have a 2048-bit key size.

1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

2. In the IIS Manager, select your server name.

3. In the central pane, double-click the Server Certificates option located in the IIS section.

4. To begin the process of requesting a new certificate, from the Actions pane, select Create Certificate Request option as shown in the following screen shot.

   

5. The first screen of the wizard asks for details regarding the new site. All the fields must be entered. To fill in this form, consider the following:

   • Country/region(C): Use the two-letter code without punctuation for country, for example: US or CA.
   • State/ province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
   • City/locality (L): The Locality field is the city or town name, for example: Berkeley.
   • Organization (O): If your company or department has an &, @, or any other symbol using the shift key type in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
   • Organizational unit (OU): This field is the name of the department or organization unit making the request.
   • Common name (CN): The Common name is the Host + Domain Name. It looks like “www.company.com”, or “*.company.com” for a wildcard certificate. The common name here must match the Base URL of your StoreFront server group. For example, if the Base URL is http(s)://storefrontserver.yourcompany.com, then the common name here should be storefrontserver.yourcompany.com. If you are planning to create a wildcard certificate, the common name can be *.yourcompany.com.

   Note: SSL certificates can only be used on web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com”and “secure.domain.com” are different from “domain.com”.

   

6. Click Next to continue.

7. In the Cryptographic Service Provider Properties screen, retain the default option Microsoft RSA SChannel Cryptography Provider and select a key Bit length of 2048.

   

8. Click Next to continue.

9. Type a file name to which you want to save the certificate request. Note: You will need the contents of this file in the next step. Therefore, ensure you know where to find it. To change the location of where you want to save the CSR, select the box with the 3 periods next to the file name.

   

10. During certificate enrollment, you are asked to submit the file. Open the file you created from the previous steps and copy the contents. Then paste the contents into the window when requested in enrollment.

Generate the Certificate

1. Access the address for Web Enrollment of digital certification in the URL https:// <FQDN of the CA Server> / CertSrv and click Request Certificate.

   

2. Click advanced certificate request.

   

3. Select Submit a certificate request by using the base 64-encoded CMC or PKCS # 10 file, or submit a renewal request by using the base 64-encoded PKCS # 7 file.

   

4. Open the request file in Notepad, select and copy the entire content.

   

5. Paste the contents of the file request in the Saved Request text box.

6. Select the Certificate Template: "Web Server" and click Submit.

   

7. The certificate will be generated. Click Download Certificate and save the certificate in a folder.

   

8. Check if the settings of the certificate are correct. In addition check if the option of private key is present in the certificate.

   

Installing Certificate 

Perform the following on the same StoreFront server you created the certificate.

1. Double click on Server Certificates.

   

2. Click Complete Certificate Request....

   

3. Select Certificate file to import and enter any friendly name that helps you to track the certificate. Select Personal as store location in IIS 8 and later.

   

   The certificate is now imported.

   

4. Select the Sites\Default Web Site node, and click Bindings....

   

5. Click Add.
   Note: Do not remove the http binding especially when the same server is DDC as well.

   

6. Select https as type, select the SSL certificate from drop-down list and click OK.

   

7. Now, you can create a StoreFront deployment on secure service using https (SSL). Open the StoerFront console, click Server Group in the left pane. StoreFront is not currently using the SSL certificate.

   
8. Click Change Base URL in the Actions pane.

9. Change http: to https: and click OK.

   
10. StoreFront is now using the SSL certificate.

 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

This article describes how to generate and import certificates into StoreFront Server for SSL.