Ask a Question

Solution ID : SO14891

Install a SSL Web Server Certificate in Citrix Secure Gateway 1.12 / 2.0 for Solaris

Problem

Install certificate in Citrix Secure Gateway 1.12
Install certificate in Citrix
Install certificate
Enable SSL on Citrix

Solution

To install a SSL Web Server certificate on Citrix 1.12/2.0 for Solaris, perform the following steps:
 
Download the Thawte Intermediate CA for SSL Web Server certificate:
 
Download the Thawte Intermediate CA for SSL Web Server certificates: AR1384

 

Copy the text over to a text editor (such as Notepad) and save as intermediate.crt

 

You can install a server certificate on the Secure Gateway server using the

 

ctxcertmgr command. You install a certificate from the response file that you

 

receive from the CA. Server certificates are installed in the /var/CTXSssl/certs

 

directory.

 

 

 

How you install a certificate depends upon whether you used ctxcertreq to

 

generate the certificate request or not.

 

 

 

If the Certificate Request Is Generated Using ctxcertreq

 

 

If you use ctxcertreq to generate a certificate request, ctxcertreq generates a private

 

key and prompts you for a password to protect the file. When you receive the

 

signed certificate from the CA, you need to install the certificate on the Secure

 

Gateway server and match it to the private key and password.

 

To do this, you use ctxcertmgr to install the certificate and include the -response

 

option. The -response option indicates that the certificate is a response to a

 

certificate request generated using ctxcertreq. A new certificate is created and

 

stored on the Secure Gateway server.

 

 

 

To install a server certificate requested using ctxcertreq

 

 

 

1. Log on as the root user at the Secure Gateway server.

 

 

 

2. At the command prompt, type:

 

ctxcertmgr -response filename [ -dbpassword db-password ]

 

where filename specifies the certificate file supplied by the CA.

 

 

 

The following table describes the options:

Example.Installing the certificate

 

Using ctxcertreq, a new certificate request file is generated with the identifier.

 

citrix.. A private key is also generated and the password .secret. specified to

 

protect the file. The new certificate is received from the CA.this file is called

 

.cert.pem. and it is saved in the /tmp/certs directory on the Secure Gateway server.

 

 

 

To add the certificate to the Secure Gateway server and match it to the private key

 

and password, type:

 

 

 

ctxcertmgr -response /tmp/certs/cert.pem

 

 

 

You are prompted to enter the db-password .secret..

 

 

 

If the password entered is valid, the newly signed server certificate is imported into

 

the Secure Gateway certificate store as /var/CTXSssl/certs/citrix.pem.

 

 

 
Installing the Intermediate Certificates:
 
Ctxcertmgr stores intermediate certificates as separate files. This poses a problem because the Secure Gateway requires all intermediate certificates to be in a single file.
 
The workaround to this problem is to import the intermediate certificates in the normal manner, for example:
 
      ctxcertmgr -root -import intermediate -filename intermediate.crt

 

Option Usage

 

-response Specifies the certificate is a response to a certificate request generated using

 

ctxcertreq.

 

 

 

-dbpassword Specifies the password used to protect the certificate on the Secure Gateway

 

server. This is the database password you supplied when you ran ctxcertreq. If

 

you include the -dbpassword option, you must use the db-password

 

parameter to specify the new password, which should be a maximum of 255

 

characters in length.

 

 

 

Note that this option is used only if you are including commands in a shel script;

 

otherwise you are prompted for the password. Using -dbpassword displays the

 

password on the terminal and enters it into the user.s command line history.

 

 

 

If the Certificate Request Is not Generated Using ctxcertreq

 

 

 

If you generated the certificate request using a tool other than ctxcertreq, use

 

ctxcertmgr with the -import option to install the certificate.

 

" To install a server certificate not requested using ctxcertreq

 

 

 

1. Log on as the root user at the Secure Gateway server.

 

 

 

2. At the command prompt, type:

 

 

 

ctxcertmgr -import identifier -filename filename [-format format ]

 

[ -keyfilename key-filename ] [ -dbpassword db-password ]

 

[ -filepassword [ file-password ]

 

 

 

The following table describes the options:

 

 

 

Option Usage

 

 

 

-import Adds a certificate to the Secure Gateway server. Use the identifier parameter to

 

give your certificate a unique label. This label is used to easily identify the

 

certificate in future.

 

 

 

-filename Specifies the certificate file supplied by the CA, where filename is the location of

 

the file. If the CA supplies the certificate as two separate files (one file containing

 

the private key, the other containing plain text information about the certificate)

 

use the -filename option to specify the location of the file containing plain text

 

information

 

 

 

-format Specifies the format of the certificate file supplied by the CA. You can import

 

PEM, NET, DER, PKCS12, and MKS file formats. If you do not specify a format,

 

the system attempts to auto-detect the format.if it cannot detect the format, an

 

error message appears.

 

 

 

-keyfilename Specifies the location of the file containing the private key. If the CA supplies the

 

certificate as two separate files (one file containing the private key, the other

 

containing plain text information about the certificate), use the keyfilename

 

parameter to specify the location of the file containing the private key. Note that,

 

in this case, you use the -filename option to specify the location of the file

 

containing plain text information.

 

 

 

-dbpassword Specifies a new password to protect the certificate on the Secure Gateway

 

server. If you include the -dbpassword option, you must use the db-

 

password parameter to specify the new password. This can be no larger than

 

255 characters.

 

 

 

-filepassword Specifies the password that the CA uses to protect the certificate file. When a CA

 

sends you a certificate, the certificate is protected using a password. You need

 

this password to extract the certificate from the file. The CA may supply this

 

password in a separate email. If you include the -filepassword option, you

 

must use the file-password parameter to specify the CA.s password.

 

 

 


Example.theCAemails the server certificate as one file

 

 

 

The CA sends you a signed certificate file in PEM format. You save this file in the

 

/var/CTXSssl/certs directory on the Secure Gateway server, and call it .file1.pem..

 

The private key is protected with the password .secret..

 

 

 

To install the server certificate on the Secure Gateway server, using the new

 

password .confidential. and the identifier .my_certificate., type the command:

 

 

 

ctxcertmgr -import my_certificate -filename

 

/var/CTXSssl/certs/file1.pem

 

 

 

You are prompted for the db-password .confidential. and the file-password

 

.secret..

 

Example.theCAemails the server certificate as two files

 

 

 

The CA sends you the server certificate as two separate files. One file contains plain

 

text information about the certificate, the other contains the private key that the CA

 

protects with the password .secret.. The files are in PEM format.

 

You call the plain text file .file1.pem. and store it in the /var/CTXSssl/certs/

 

directory. You call the private key file .file2.pem. and save it in a secure directory

 

that only the root user has access to; for example, /home/ctxssl.

 

 

 

To install the server certificate on the Secure Gateway server, using the new

 

password .confidential. and the identifier .my_certificate,. type the command:

 

 

 

ctxcertmgr -import my_certificate

 

 

 

-filename /var/CTXSssl/certs/file1.pem

 

 

 

-keyfilename /home/ctxssl/file2.pem

 

 

 

-dbpassword confidential -filepassword secret

 

 

 

Use -dbpassword and -filepassword only if you are including commands in a shell

 

script.



These steps were taken from the Solaris Secure Gateway Guide available on the Citrix site at the following link: http://support.citrix.com/kb/entry.jspa?categoryID=186&entryID=3186
For Citrix Secure Gateway 2.0 see: http://support.citrix.com/servlet/KbServlet/download/4192-102-10983/Secure_Gateway_Checklist.pdf