Install a TLS certificate on your server

The Citrix Hypervisor server comes installed with a default TLS certificate. However, to use HTTPS to secure communication between Citrix Hypervisor and Citrix Virtual Apps and Desktops, install a certificate provided by a trusted certificate authority.


This feature is supported only for Citrix Hypervisor 8.2 and later. If your Citrix Hypervisor server is an earlier version, XenCenter does not provide the option to install a new certificate on it.

This article contains information about how to use certificates in XenCenter. For information about working with certificates by using the xe CLI, see Hosts and resource pools.


Ensure that your TLS certificate and its private key meet the following requirements:

  • The certificate and key pair are an RSA key
  • The key matches the certificate
  • The key is provided in a separate file to the certificate
  • The certificate is provided in a separate file to any intermediate certificates
  • The key file must be one of the following types: .pem or .key
  • Any certificate files must be one of the following types: .pem, .cer, or .crt
  • The key is greater than or equal to 2,048 bits and less than or equal to 4,096 bits in length
  • The key is an unencrypted PKCS #8 key and does not have a passkey
  • The key and certificate are in base-64 encoded ‘PEM’ format
  • The certificate is valid and has not expired
  • The signature algorithm is SHA-2 (SHA256)

XenCenter warns you when the certificate and key you choose do not meet these requirements.

Install a certificate

You can use XenCenter to install a certificate that is on the XenCenter system into a Citrix Hypervisor server.

To install a certificate on a Citrix Hypervisor server, you must have the Pool Admin role and the Citrix Hypervisor server must not have HA enabled.

  1. Go to the Install Certificates dialog. You can get to this dialog in one of the following ways:

    • In the Server menu, select Install Certificates.
    • Right-click on the server in the resources pane and choose Install Certificates from the context menu.
    • In the General tab of the server, right-click on the Certificates section and choose Install Certificates from the context menu.
  2. In the Install Certificates dialog, browse to the location of the private key file and select it.
  3. Browse to the location of the server certificate file and select it.
  4. You can choose to add any number of intermediate certificates from the certificate chain.

    1. Click Add
    2. Browse to the location of one or more intermediate certificates and select them.
  5. Click Install.

    XenCenter validates and installs the certificates.

    • If there is a problem with a certificate, XenCenter shows an error message. Attempt to correct the problem and click Install again.
    • If the certificate is installed successfully, XenCenter shows a success message. You can now click Close to close the dialog.

When the certificate on a Citrix Hypervisor server is changed, the server closes any open connections. XenCenter expects this behavior and reopens the connection with the Citrix Hypervisor server. However, you might have to manually reopen any other connections that were previously open to the server - for example, from another API client or the remote xe CLI.

View certificate information

In the General tab for a Citrix Hypervisor server, a section called Certificates displays the following information for the server:

  • The certificate validity period. This text appears red when the certificate is approaching its expiry date.
  • The certificate thumbprint

Certificate alerts

When your certificates are nearing their expiry date, XenCenter shows alerts in the Alerts section of the Notifications tab. You can choose to open the Install Certificates dialog from the action menu of these alerts.

For more information about alerts, see XenCenter Alerts.

Install a TLS certificate on your server