Is it possible to create a self-signed certificate in Active Directory on the network and have it recognized by Citrix VDIs without importing the cert

Tim

8/1/24, 3:35 PM

I have written some (intranet) web applications for a small customer of mine (< 50 employees) who have now incorporated a cloud Citrix server into their network for remote access. They still have physical PCs as well. The cloud-based Citrix VDIs are peers on their on-premise network and can see the web server there.

Before the company got the Citrix cloud solution, I had been creating a self-signed SSL certificate (not backed by any CA) on the server hosting IIS and then asking the system administrator to import it into Trusted Certificate Authorities store on the physical PCs which were running Windows 10.

I'd like to know if the system administrator is able to create an SSL certificate from their Active Directory console on the network, which would be backed by a CA, so that it could be imported into IIS with the private key, and then bound to the website for https, with the Citrix VDIs simply recognizing the CA, via their tie-in to AD, and without the SSL certificate (sans private key) having to be imported into the Citrix VDIs.

Is there a way to eliminate that final step, which is required now when using the self-signed certificate? If this is possible, is there a how-to somewhere to which I could refer the system administrator, who is a novice promoted from within the company into a position for which they have not received any formal training?

0 + 9

active-directory

citrix

ssl-certificate

Nikita Kipriyanov

8/1/24, 3:56 PM

The core idea of PKI is that for certificate to be recognized you need to trust it, either explicitly by direct import (as you do with CA certificates and self-signed certificates) or implicitly by the means of other, already trusted certificate (for which you import the CA's certificate). Also notice that you normally don't import a private key; ideally it should be generated and stored securely on the target system and never leave it. You generate the private key and the CSR, provide latter to the CA, and CA replies with signed certificate which you import back.

Greg Askew

8/1/24, 4:15 PM

This is actually a good case for not using self signed certificates. They are frowned upon in many other areas, resulting in situations such as this. Compliance is another area where surprises such as this would be discovered.

Tim

8/1/24, 5:07 PM

@NikitaKipriyanov The certificate-with-private-key never left the server on which it was generated. It was imported into IIS, and then the certificate was exported without the private key.

Tim

8/1/24, 5:09 PM

IIS has to be able to import a certificate (with private key) in order to bind the website to it for https support. It is my understanding that if the server is an intranet server and is not public facing, we cannot purchase a certificate for it from a place like DigiCert. Am I mistaken about that?

Nikita Kipriyanov

8/1/24, 5:27 PM

You don't need to have a publicly recognized certificate. Use AD Certificate Services to build your own CA, to sign your internal certificates. You can distribute this CA root certificate (self signed) throughout the domain using policies, so you don't need to provision it by hand to each computer; enough to join it to the domain. Any computer which is provisioned with the CA root certificate (domain member or where certificate is installed by hand) will trust your CA and, therefore, recognize all certificates signed with it. This is just basic idea; read MS documentation for further details.

Tim

8/1/24, 5:47 PM

@NikitaKipriyanov Thank you for confirming that that is possible. I am not the systems administrator, as I mentioned, but a software developer. I need to get the actual systems administrator (or better yet, the company's external support team) to do that in such a way that the certificate can be imported into IIS.

Nikita Kipriyanov

8/1/24, 5:58 PM

With AD CS, you don't be in the need to do that by hand. It is well integrated. If you need to generate a certificate for a domain-joined IIS server, there is literally a few clicks and it's done. You mentioned Citrix who suggest different kind of products, and into some of them you'll need to import manually.

Greg Askew

8/2/24, 10:36 AM

`It is my understanding that if the server is an intranet server and is not public facing, we cannot purchase a certificate for it from a place like DigiCert. Am I mistaken about that?` That is not accurate. You can purchase a certificate for any name that is public and registered to you. The physical location internal/external is irrelevant. For snowflake names like `servername.local`, some authorities may have private CAs. But as stated the infrastructure to issue certificates is included with all platforms.

Tim

8/2/24, 11:53 AM

@GregAskew The issue is complicated here (for me) by the fact that Citrix cloud desktops are accessing the intranet web server as peers on the local LAN. Whatever is done has to be compatible with them. I am not in a position to generate those certs myself, but now that I know it is possible, I can advocate that the company get the outside network management team to do it.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to create a self-signed certificate in Active Directory on the network and have it recognized by Citrix VDIs without importing the cert

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.