-
-
Cloud Connector Standalone Citrix Secure Ticketing Authority (STA) service
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Certificate management
Overview
HDX Direct connections are secured with network level encryption. To facilitate this, each session host has a unique self-signed root CA certificate and a corresponding server certificate, which is signed by the self-signed root CA certificate.
This solution provides the following advantages:
- Streamlined Security: HDX Direct connections are secured without the administrative overhead of managing certificates within the environment.
- Reduced Attack Surface: The attack surface is limited to a single host because each host has a unique set of keys and certificates.
- Enhanced Security for Non-Persistent Environments: In environments with non-persistent session hosts, security is further enhanced as new keys and certificates are generated upon restart.
Session host
The Citrix ClxMtp Service and the Citrix Certificate Manager Service are the two services responsible for managing certificates on each session host. The ClxMtp Service handles key generation and rotation, while the Certificate Manager Service generates and manages the certificates.
Two certificates are created: a self-signed root CA and a server certificate. Both are issued with a two-year validity period; however, they are replaced when keys are rotated. Additionally, new certificates are generated each time non-persistent machines restart.
Details for each certificate are as follows:
-
Self-signed Root CA
- Issued to: CA-Citrix-Certificate-Manager
- Issued by: CA-Citrix-Certificate-Manager
- Issuer details: The organization is Citrix Systems, Inc.
-
Server Certificate
- Issued to: <host FQDN> (For example, FTLW11-001.ctxlab.net)
- Issued by: CA-Citrix-Certificate-Manager
- Issuer details: The organization is Citrix Systems, Inc.
NOTE:
The Citrix Certificate Manager Service generates RSA certificates that leverage 2048-bit keys.
If there is an existing machine certificate created by the Citrix Certificate Manager Service and the subject name does not match the machine’s FQDN, a new certificate is generated.
Key rotation
The Citrix ClxMtp Service automatically rotates keys every six months. However, you can trigger a key rotation manually by increasing the rotation counter in the session host’s registry.
To rotate the keys, update the following value:
- Key: SOFTWARE\Citrix\ClxMtpConnectorSvcRotateKeyPairs
- Value type: DWORD
- Value name: ClxMtpRotateRequestCounter
- Data: integer (Decimal)
NOTE:
For first-time key rotation:
- Create the ClxMtpConnectorSvcRotateKeyPairs key.
- Create and set the ClxMtpRotateRequestCounter value to 1.
For subsequent key rotations, increase the ClxMtpRotateRequestCounter value by 1.
Once the value is updated, the Citrix ClxMtp Service will automatically rotate the keys without requiring a restart. The Citrix Certificate Manager Service will then generate new certificates automatically once it detects new keys.
Client device
The root CA certificate is sent to the client by Workspace or Storefront through the already established secure and trusted connection path. This eliminates the need to distribute CA certificates to the client devices’ certificate stores, and ensures that the client trusts the certificates used to secure the HDX Direct connection.
Using custom certificates
HDX Direct supports the use of certificates issued and managed by your own PKI. The following steps outline how to install your certificate, configure the necessary permissions, bind it to the session manager service, and enable the required TLS listeners.
- Proceed to step 2 if HDX Direct is disabled on the machine. If HDX Direct is enabled, follow the steps below:
- Open the registry editor (regedit.exe) and navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icawd.
- Set the SSLEnabled value to 0.
- Navigate to HKLM\Software\Citrix\HDX-Direct.
- Set the HdxDirectCaInTls value to 0.
-
Install the appropriate certificate issued by your PKI on the machine’s certificate store.
- Grant the session manager service read access to the certificate’s private keys.
- Launch the Microsoft management console (MMC): Start > Run > mmc.exe.
- Navigate to File > Add/Remove Snap-in.
- Select Certificates, then click Add.
- Choose Computer account and click Next.
- Select Local computer and click Finish.
- Navigate to Certificates (Local Computer) > Personal > Certificates.
- Right click on the appropriate certificate and select All Tasks > Manage Private Keys.
- Add one of the following services and give it Read access:
- For Single Session VDA:
NT SERVICE\PorticaService - For Multi Session VDA:
NT SERVICE\TermService
- For Single Session VDA:
- Click Apply, then OK.
- Bind the certificate to the session manager service.
- Retrieve the certificate thumbprint (double click on the certificate > Details > Thumbprint).
- Open the registry editor (regedit.exe) and navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\icawd.
- Edit the SSLThumbprint value and paste the certificate’s thumbprint.
- Enable the Citrix TLS listeners.
- In the same registry location, set the SSLEnabled value to 1.
- Enable HDX Direct (in Citrix policy).
The Citrix Virtual Apps and Desktops installation media includes a PowerShell script (Enable-VdaSSL.ps1) that automates several of these tasks:
- Setting permissions for the certificate’s keys
- Binding the certificate to the session manager service
- Enabling the Citrix TLS listeners
This script is located in the Support > Tools > SslSupport directory. For more details, see Configure TLS on a VDA using the PowerShell script.
NOTE:
The devices connecting to the session hosts need to have the correct root CA and intermediate CA certificates installed if you are using your own certificates.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.