Ask a Question

Advanced Search

Solution ID : SO22566

Last Modified : 12/28/2018

Installation Instructions for Citrix Secure Gateway on Windows


RapidSSL now offers the GeoTrust SSL Assistant to make it easy to generate a CSR and install a certificate for Microsoft IIS 7.0 servers running .NET 2.0 or higher. As an independent subsidiary of Symantec, RapidSSL offers GeoTrust SSL Assistant as a benefit of our corporate relationship.

This document provides instructions for installing SSL Certificates into IIS 7.x. If you are unable to use these instructions for your server, RapidSSL recommends that you contact Microsoft.
This solution contains two Methods to install your SSL Certificate:

Method 1: Installing the certificate received via e-mail.

Method 2 (recommended): Installing the certificate downloaded from the RapidSSL User Portal.

Method 1: Download and Install SSL certificate sent via e-mail

Step 1: Obtain the SSL certificate sent via email:

    1.    The RapidSSL certificate will be sent by email.
    2.    Copy the certificate imbedded in the body of the email and paste it into a text file
           using Vi or Notepad.

           The text file should look like:


                    [encoded data]

           -----END CERTIFICATE-----

    3.    Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and
           that no white spaces, extra line breaks or additional characters have been inadvertently added.
    4.    Save the certificate filename with the .cer extension. For example: public.cer

           NOTE: If you selected Microsoft IIS  5.0 or above during enrollment, 
           continue with the installation from here.

           If you are not sure which server software was selected during the enrollment,
           proceed with Step 2 bellow.  

Step 2: Download and Install the Intermediate CA Certificate:

           To download and install the Intermediate CA certificate according to your SSL product follow the steps from this link: SO16588
Step 3: Install the SSL certificate:
           To proceed with the installation steps for your SSL certificate click here.

Method 2: Download and Install SSL certificate in PKCS#7 format

Step 1: Download the SSL certificate from RapidSSL User Portal

           NOTE: Download the certificate from the RapidSSL User Portal by
           following the steps from this link: SO16222

           Make sure you download the certificate in PKCS#7 format and save it with the extension .txt or .p7b.


Step 2: Install Certificate

    1.    Click Start > Administrative Tools > Internet Information Services (IIS) Manager
    2.    From the left menu, click the corresponding server name
    3.    In the Features pane (middle pane), under Security, double-click Server Certificates
    4.    From the Actions pane (right pane), select Complete Certificate Request
    5.    Provide the location of the certificate file and the friendly name
           NOTE: Friendly name is a reference name for quick identification of the certificate for the Administrator.

           NOTE: With a Wildcard certificate, you want to make sure to give it a wildcard friendly name. 
Example: *

           IIS 7.X  will not let you set an SSL host header unless the friendly name starts with * when
           you bind your certificate to your sites.

           You can see in this example how the binding will look later if you do not give the certificate
           a wildcard friendly name:

           Friendly name without wildcard:


           Friendly name with wildcard:


           At this point the server may respond with one of the two known errors;

           CertEnroll::CX509Enrollment::p_InstallResponse:ASN1 bad tag value met. 0x8009310b (ASN: 267) 
           Click SO15889 for the resolution to this message.


Cannot find the certificate request associated with this certificate file. 
           A certificate request must be completed on the computer where it was created. 
           Click SO21575 for the resolution to this message.

 In IIS7, you need to install the certificate and then bind the HTTPS protocol to the site

Step 3: Binding certificate to the web site:

    1.    Click Start > Administrative Tools > Internet Information Services (IIS) Manager
    2.    Browse to your server name > Sites > Your SSL-based site
    3.    In the Actions pane, click Bindings.


    4.    In the Site Bindings window scroll down, highlight HTTPS and click Remove.

           NOTE: If you wanted to secure traffic between IIS and Citrix Secure Gateway, edit the binding and
           change the port to 444 or some other non-well known TCP port. For best performance, it is only
           recommended to secure traffic when IIS and CSGare on different servers


    5.    Click OK

Step 4: Configure Citrix Secure Gateway

           To configure Citrix Secure Gateway, perfom the steps from this link:  SO22539 

Step 5:  Verify certificate installation:

    1.    To verify the SSL certificate installation, use the RapidSSL Installation Checker 
    2.    In some cases you may need to Stop and start your Web server prior to any testing. 
           NOTE: In some cases the changes may not take place after restarting IIS Services and
           a re-boot is needed.

Citrix Support
            For more information, refer to Citrix Support