Jump to content
Welcome to our new Citrix community!
  • 1

A note on VDA certificates in 7.14


Russ HARGROVE

Question

Citrix installs a new "Citrix XenApp/XenDesktop HDX Service" certificate in the Personal store which breaks the automation of the Enable-VdaSSL.ps1 script for those of us who are using SSL everywhere. Previously the only certificate in this store was the one that was assigned via group policy to allow secure communication. 

 

to fix the problem, I had to modify the task scheduler powershell script from the one mentioned in this article: https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/

 

change from: 

 

Enable-VdaSsl.ps1 -Enable -Confirm:$False

 

to:

 

Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (Get-ChildItem -path cert:\LocalMachine\My | Where-Object -FilterScript {$_.Subject -eq ""} | Select-Object -ExpandProperty Thumbprint) -Confirm:$False

  • Like 1
Link to comment

5 answers to this question

Recommended Posts

  • 0

Citrix installs a new "Citrix XenApp/XenDesktop HDX Service" certificate in the Personal store which breaks the automation of the Enable-VdaSSL.ps1 script for those of us who are using SSL everywhere. Previously the only certificate in this store was the one that was assigned via group policy to allow secure communication. 

 

to fix the problem, I had to modify the task scheduler powershell script from the one mentioned in this article: https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/

 

change from: 

 

Enable-VdaSsl.ps1 -Enable -Confirm:$False

 

to:

 

Enable-VdaSSL.ps1 -Enable -CertificateThumbPrint (Get-ChildItem -path cert:\LocalMachine\My | Where-Object -FilterScript {$_.Subject -eq ""} | Select-Object -ExpandProperty Thumbprint) -Confirm:$False

Thank you for sharing this with us Russ.

 

Regards,

Harsaranjeet Kaur

  • Like 1
Link to comment
  • 0
On 1/21/2019 at 6:15 AM, Lars Kristensen1709152331 said:

What are you entering in between the "" ?

 

Since i only have one cert in the 'personal' store, it just grabs that one... in your case you'll have to find a way to select the thumbprint for the cert you need... or to exclude the one you dont want so the correct one is chosen... im no powershell guru.... took me a few hours of trial and error to get the above command to work

Link to comment
  • 0

Since Carl still posts this link in his current guides and you might stumble upon this like I did, the "$_.Subject -eq" is the common name for the server, aka the FQDN used to connect to the host. You can find it by going into the details of the cert after you open it. I fixed a few things and added in a check for the expiration date just in case someone issues a new cert, but doesn't remove the old one instead of renewing or replacing the old one. I'm currently using this for a wildcard cert and its working fine now:

Enable-VdaSSL.ps1 -Enable -SSLMinVersion TLS_1.2 -CertificateThumbPrint ( Get-ChildItem cert:\LocalMachine\My | Where-Object {$_.Subject -like "CN=*.domain.com" -and $_.NotAfter -gt (get-date) } | Select-Object -ExpandProperty Thumbprint) -Confirm:$False

 

Put another wildcard before and after the CN name, "*CN="$env:computername.$env:userdnsdomain*" if it has multiple lines in the subject properties, or you can just use $_.FriendlyName to use the certificate name if that works better for you / or if you have multiple certs with that exact CN name.

Link to comment
  • 0

Hi Jeff,

 

On 5/2/2023 at 12:33 PM, Jeffrey Guest said:

Enable-VdaSSL.ps1 -Enable -SSLMinVersion TLS_1.2 -CertificateThumbPrint ( Get-ChildItem cert:\LocalMachine\My | Where-Object {$_.Subject -like "CN=*.domain.com" -and $_.NotAfter -gt (get-date) } | Select-Object -ExpandProperty Thumbprint) -Confirm:$False

 

The script works great when executed manually, I'm seeing though that Task Scheduler/PowerShell.exe doesn't like -Confirm:$false being passed stopping this from silently working as a on boot script. Curious to see how yourself and others are automating this task to ensure the latest thumbprint is used without administrator intervention?

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...