Ask a Question

Advanced Search

Alert ID : INFO1974

Last Modified : 04/22/2019

Managed PKI for SSL - Installation Instructions for Citrix Access Gateway 8.0


 This document provides installation instructions for Citrix Secure Gateway 8. If you are unable to use these instructions for your server, Symantec recommends that you contact Citrix.

Step 1: Obtain the SSL Certificate

  1. Once your Managed PKI for SSL administrator has approved your certificate request, you will receive an email with
    a certificate download link, also attached (cert.cer), as well as in the body of the email itself.
  2. If copying the certificate imbedded in the body of the email, paste it into a text file using Vi or Notepad.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters.
    Confirm that there are no extra lines or spaces in the file.

    The text file should look like:

              [encoded data]
    -----END CERTIFICATE-----

    NOTE: Click here to download the certificate from your Managed PKI for SSL subscriber services page.
    Please select X.509 as a certificate format and copy only the End Entity Certificate.
  3. Save the certificate as agee.cer

Step 2: Install the SSL Certificate

  1. Using WinSCP or any other secure FTP client, connect to the Access Gateway and log on as nsroot.
  2. Upload the agee.cer file to the /nsconfig/ssl directory.
  3. In the GUI configuration manager, go to SSL > Certificates and click Add.
  4. In the Certificate-Key Pair Name field, type a descriptive name for this certificate entity, for example:
  5. For File Location select the Remote System radio button.
  6. For Certificate Filename, click Browse and locate the agee.cer file you obtained in Step 1.
  7. For the Key Filename browse to the corresponding Private Key and enter the PEM passphrase.
  8. Keep PEM selected as the format.
  9. Click Install and then Close.
  10. After a few seconds, the certificate entity should appear in the background. Click Close. Your certificate can now be used.

Step 3:  Download the Root and Intermediate CA certificate

         NOTE: Ensure that the approriate Root and Intermediate CA certificates are downloaded for your SSL product type.
         To check which certificate has been purchased, follow the steps from this link.

  1. Download the Root CA certificate for your SSL product under the Managed PKI for SSL section.
  2. Select the appropriate Intermediate CA certificate for your SSL certificate type.
  3. Open a Notepad and paste the Intermediate CA and the Root CA in the following order:
    The Intermediate CA on the top, followed by the Root CA at the bottom.

    [Intermediate CA]
    -----END CERTIFICATE-----
    [Root CA]
    -----END CERTIFICATE-----
  4. Ensure that any additional characters or line breaks have been added.
  5. Save ther file as myintermediate.crt

Step 4. Install the Root and the Intermediate CA certificates

  1. Using WinSCP transfer the intermediate certificate to the /nsconfig/ssl directory
  2. Log in to the Configuration utility of the appliance.
  3. Expand the SSL node.
  4. Click Certificates.
  5. On the Certificates page, click Add.
  6. Specify the appropriate values in the various fields of the Install Certificate dialog box. The following screenshot displays the sample values for your reference:

  7. Click Install.
  8. On the Certificates page, select the server certificate to which you want to link the intermediate certificate.
  9. Click Link.

  10. From the CA Certificate Name list, select the required intermediate certificate, as shown in the following screenshot:

  11. Verify the certificate installation using the DigiCert Checker

Citrix Support

          This solution is referenced from the Citrix Support