Citrix Access Gateway 4.5.x Certificate Installation – Root and Intermediate CA’s
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1;Open Internet Information Services management on a test or a no prod server and create a new website.
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Type the description, keeping it obvious
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Select the default here as these are unimportant for a temporary / test website
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Point the new website to a folder that exists (can be anything but a blank folder would be optimal)
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Leave the default for access permissions
click finish and the website will be created
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Right click the new website under IIS Management and select properties > Security > Server Certificate – button
click next
next
next
type the name for the certificate here (i usually just make this the same as the sites common name to save confusion)
Enter the details below relevant to your organisation
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } It’s imperative that this name is PERFECT and matches the hostname of the access gateway. If the certificate and the hostname do not match, then your SSL connection will be denied.
enter the details relevant here to your organisation
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Break Point: At this point the web server places the request and website security into pending at which point no other certificate actions can be carried out until the CSR request is completed. Deleting this current request and creating another one would void the original request.
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
In the instances of this scenario verisign were utilised as the CA
@font-face { font-family: “Arial”;}@font-face { font-family: “Courier New”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Typically the reply will look something like this (example only)
—–BEGIN CERTIFICATE—–
NKAGCSqGSIb3DQEHAqCAMIACAQExABALBgkqhkiH9w0BBwGggDCCBrYwggWeoAMC
AQICEGy0w9nZUPAwIH+ssl/rGlMwDQYJKoZIhvcNAQEFBQAwgb4xCzAJBgNVBAYT
AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g
VHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8v
kdTm8rI7sQOQ5c+XnPqGhmyT9BoZy14rt8f9+EUjbpfpZSdIbJkjls/yMYJj6p2B
—–END CERTIFICATE—–
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Open the website properties > Security> and click Server Certificate button
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Point IIS to the reply from verisign, save this reply as a .cer file, and be sure to not include any extra spaces, line breaks etc
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Next and Finish when the cert import is successful.
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } We need to export the entire certificate and its private key (.pfx file) ready for a conversion process to a format that the access gateway is expecting (.pem file) Properties of the web site > Security Tab > Server Certificate button
The next three screens show the export process – be sure to note the export location and password
Convert the PFX File to a PEM File
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }a:link, span.MsoHyperlink { color: blue; text-decoration: underline; }a:visited, span.MsoHyperlinkFollowed { color: purple; text-decoration: underline; }div.Section1 { page: Section1; }
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Download and install OPENSSL
Change to the install location of the openssl installation (c:program filesgnuwin32bin)
Run the following command to convert the PFX file to a PEM file
openssl pkcs12 -in %MYPFX%.pfx -out %MYEXPORT%.pem –nodes
example: openssl pkcs12 -in c:ssacag_verisign_certificate.pfx -out c:ssacag.pem –nodes
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }a:link, span.MsoHyperlink { color: blue; text-decoration: underline; }a:visited, span.MsoHyperlinkFollowed { color: purple; text-decoration: underline; }div.Section1 { page: Section1; } Open the Access Gateway management console (or install it from the default CAG admin page https://access-gateway-server:9001) Default User: Root, Default Pass: rootadmin. The admin console for different version of the gateways cannot be installed on the same PC unless siloed or isolated.
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Select Access Gateway Cluster > This Gateway > Administration > upload a .pem private key and signed certificate > BROWSE
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } Browse to the converted PEM file and input the password used when exporting the PFX cert (in step 26)
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; } The Root CA needs to be added to the device now for the certificate verification to work.
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Export the CA’s root certificate as a Base-64 X.509 (open certificates in the MMC snap in for the local computer, browse to “Trusted Root Certification Authorities”
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Rename the exported ROOT CA as chain.pem
Under Access Gateway management go to Manage Trusted Root Certificates > Manage > Manage & Upload Trusted Root Certificate – select the chain.pem
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Double click the personal > Certificates > ag.domain.com > double click > certification path >
@font-face { font-family: “Arial”;}@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
All certificates listed in the path need to be added to the chain.pem file
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Export all certs in the certificate Chain via steps 33, then cut and paste the data into chain.pem
Example
—–BEGIN CERTIFICATE—–Intermediate 1
DATA (cut and paste from exported Cert)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–Intermediate 2
DATA (cut and paste from exported Cert)
—–END CERTIFICATE—–
—-BEGIN CERTIFICATE—–ROOT CA
DATA (cut and paste from exported Cert)
—–END CERTIFICATE—–
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
If it worked successfully a list of Trusted Issuers will be displayed on the CAG Trusted Root Cert Management
@font-face { font-family: “Verdana”;}p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 10pt; font-family: “Times New Roman”; }div.Section1 { page: Section1; }
Reboot the CAG, test the connection.
