Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-05-19 13:01:15.0

TN 7807 - Installing the Entrust SSL certificate on a Citrix Secure Gateway

Citrix Secure Gateway on Windows

 

Server Certificate Installation

If the Citrix Secure Gateway is on Windows, use the IIS certificate installation instructions to install the server certificate.

Run the Secure Gateway Service Configuration tool and select the new certificate. This updates the httpd.conf file with the thumbprint of the new certificate.

The appropriate root certificate must be present on the server running the Secure Gateway. Follow these steps to install the root certificate:

1. Copy the Entrust.net Certification Authority (2048) root certificate to the server running the Secure Gateway. Ensure it is named with a .cer extension. You can download the certificate here.
2. Double click on the file saved in Step 1 to install the certificate.
3. Select Open.
4. Select Install Certificate and use the Certificate Import Wizard to automatically install the certificate to the default store.

Installing the Chain Certificate

 

Use the IIS certificate installation instructions to install the chain certificate.

 

 Citrix Secure Gateway SSL Installation Instructions

Key Pair and Certificate Signing Request (CSR) Generation

1. Create the key pair by running the command ctxcertreq. You are prompted for the following information:

• The distinguished name of the subject requesting the certificate (the Secure Gateway server).
• A database password to be used to encrypt the private key.
• A number of random keystrokes used to generate the key pair.

2. To generate the Certificate Signing Request., log on as the root user at the Secure Gateway server. At the command prompt, enter the following command: 

ctxcertreq  <identifier> [ -filename <filename> ] [ -clone <clone-identifier> ]

where:

<identifier>  is a unique label for the certificate request used by the Secure Gateway and is not included in the certificate request file sent to Entrust.

<filename> specifies the name of the certificate request file created. The default filename is identifier.req in the current directory.

-clone renews a certificate that is due to expire, where <clone-identifier> is the identifier of the existing server certificate.

3. At the prompt, type the distinguished name parameters. If you are generating a certificate renewal request, press Enter to accept the default distinguished name.

4.  At the prompt, type the database password used to encrypt the private key.

5. Confirm the database password.

6. At the prompt, start typing until ctxcertreq tells you to stop. It does not matter what you type: letters, numbers, symbols, punctuation marks, or control characters.

 

 

 

Server Certificate Installation

If the certificate request was generated using the ctxcertreq command

If you use ctxcertreq to generate a certificate request, ctxcertreq generates a private key and prompts you for a password to protect the file. When you receive the signed certificate, you need to install the certificate on the Secure Gateway server and match it to the private key and password.

If the certificate request was generated using ctxcertreq command, use the following instructions to install your certificate on the Secure Gateway.

1. Log on as the root user at the Secure Gateway server.

2. Save the server certificate supplied Entrust to /tmp/certs/citrix.pem.

 

3. At the command prompt, type the following command:
ctxcertmgr -response /tmp/certs/citrix.pem [ -dbpassword <password> ]

 

 where:

-response specifies the certificate response to a certificate request generated using
ctxcertreq.

-dbpassword specifies the password used to protect the certificate on the Secure Gateway server.

If the password entered is valid, the newly signed server certificate is imported into the Secure Gateway certificate store as /var/CTXSssl/certs/citrix.pem.

If the certificate request was not generated using the ctxcertreq command

If you generated the certificate request using a tool other than ctxcertreq, use the ctxcertmgr command with the –import option to install your certificate on the Secure Gateway.

ctxcertmgr -import identifier -filename filename [-format format ] [ -keyfilename key-filename ] [ -dbpassword db-password ] [ -filepassword [ file-password ]

 

 

 

 

Using Intermediate Certificates with Citrix Secure Gateway

An intermediate certificate is a certificate chain where the path of a branch in the certificate hierarchy is traced to the root of the hierarchy.

If you are using an intermediate certificate that contains a very long certificate chain, you might have problems using ctxcertmgr to import the certificate. Ctxcertmgr stores intermediate certificates as separate files. This poses a problem because Citrix Secure Gateway requires all intermediate certificates to be in a single file.

The workaround to this problem is to import the intermediate certificates in the normal manner, for example:

• ctxcertmgr -root -import intermediate1 -filename intermediate1.crt
• ctxcertmgr -root -import intermediate2 -filename intermediate2.crt

When the import is complete, you can concatenate the files into a single file. For example:

• cd /var/CTXSssl/cacerts
• cat intermediate1.pem intermediate2.pem > ../all_intermediates.pem

Finally, modify the value of the IntermediateCerts parameter in the /etc/ctxsecgwy.conf configuration file.

IntermediateCerts=/var/CTXSssl/all_intermediates.pem

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable