Ask a Question

Advanced Search

Solution ID : SO22358

Last Modified : 05/31/2019

Managed PKI for SSL - Installation Instructions for Citrix Secure Gateway on Windows


 This document provides instructions for installing SSL Certificates into Citrix Secure Gateway using  IIS 7 Manager. If you are unable to use these instructions for your server, DigiCert recommends that you contact Citrix.
This solution contains two Methods to install your SSL Certificate:

Method 1: Installing the certificate received via e-mail.

Method 2: Installing the certificate downloaded from Managed PKI for SSL subscriber service page.

Method 1: Download and Install SSL certificate sent via e-mail
Step 1: Obtain the SSL certificate sent via email
          Once your Managed PKI for SSL administrator has approved the certificate request, you will receive an email
          with a certificate download link, also attached (cert.cer), as well as in the body of the email itself. Copy the SSL certificate and 
          make sure to copy the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header and footer.
          Ensure there are no white spaces, extra line breaks or additional characters.
          Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .txt
Step 2: Download and Install the intermediate CA certificate
Step 3: Install the SSL certificate
         To proceed with the installation steps for your SSL certificate click here.

Method 2: Download and Install SSL certificate in PKCS#7 format

Step 1: Download the SSL certificate from Managed PKI for SSL subscriber services page
         Make sure you download the certificate in PKCS#7 format and save it with the extension .txt or .p7b

Step 2: Install certificate

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. From the left menu, click the corresponding server name.
  3. In the Features pane (middle pane), under Security, double-click Server Certificates.
  4. From the Actions pane (right pane), select Complete Certificate Request.
  5. Provide the location of the certificate file and the friendly name.
    NOTE: Friendly name is a reference name for quick identification of the certificate for the Administrator.

    At this point the server may respond with one of the two known errors;
    CertEnroll::CX509Enrollment::p_InstallResponse:ASN1 bad tag value met. 0x8009310b (ASN: 267) 
    Click here for the resolution to this error.


    Cannot find the certificate request associated with this certificate file.
    A certificate request must be completed on the computer where it was created.
    Click here for the resolution to this error.

In IIS7, you need to install the certificate and then bind the HTTPS protocol to the site.

Step 3: Binding certificate to the web site

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Browse to your server name > Sites > Your SSL-based site.
  3. In the Actions pane, click Bindings.

  4. In the Site Bindings window scroll down, highlight HTTPS and click Remove.
    NOTE: If you wanted to secure traffic between IIS and Citrix Secure Gateway, edit the binding and change the port to 444 or some
    other non-well known TCP port. For best performance, it is only recommended to secure traffic when IIS and CSGare on different

  5. Click OK.

Step 4: Configure Citrix Secure Gateway

         To configure Citrix Secure Gateway, perfom the steps from this link.

Step 5:  Verify certificate installation
  1. Verify your installation with the DigiCert Installation Checker.
  2. In some cases you may need to Stop and start your Web server prior to any testing. 
    NOTE: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.

Citrix Support
          For more information, refer to Citrix Support.