In order to resolve this issue when installing SSL certificate in Citrix Access Gateway, follow the steps below.
Step 1: Download the SSL & Intermediate CA Certificate
- Download the certificate from Symantec Trust Center account.
- The ZIP file you downloaded contains the following certificates:
Note: Select the server platform as Citrix > Access Gateway Enterprise Edition Appliance when downloading the certificate.
- SSL certificate (i.e. ssl_certificate.crt, also known as end entity certificate, public key certificate, digital certificate or identity certificate).
- Intermediate CA certificate (i.e. IntermediateCA.crt, also known as chained certificate or signer/issuer of the SSL certificate).
- Unzip the files onto the server where you will install the certificate.
Step 2: Install the SSL Certificate
- Using WinSCP or any other secure FTP client, connect to the Access Gateway and log on as nsroot.
- Upload the agee.cer file to the /nsconfig/ssl directory
- In the GUI configuration manager, go to SSL > Certificates and click Add.
- In the Certificate-Key Pair Name field, type a descriptive name for this certificate entity, for example: access.symantec.com
- For File Location select the Remote System radio button.
- For Certificate Filename, click Browse and locate the ssl_certificate.crt file you obtained in Step 1
- For the Key Filename browse to the corresponding Private Key and enter the PEM passphrase
- Keep PEM selected as the format.
- Click Install and then Close.
- After a few seconds, the certificate entity should appear in the background. Click Close. Your certificate can now be used.
Step 3: Install the Intermediate CA Certificate
- Using WinSCP transfer the intermediate certificate to the /nsconfig/ssl directory
- Log in to the Configuration utility of the appliance.
- Expand the SSL node.
- Click Certificates.
- On the SSL Certificates page, click Add.
- Specify the appropriate values in the various fields of the Install Certificate dialog box. The following screenshot displays the sample values for your reference.
- Click Install.
- On the SSL Certificates page, select the server certificate to which you want to link the intermediate certificate (obtained from Step 1).
Note: Link the server certificate to the Intermediate CA certificate.
- Click Link.
- From the CA Certificate Name list, select the required intermediate certificate, as shown in the following screenshot.
- Verify the certificate installation using the DigiCert Installation Checker
If the certificate installation failed due to the private key & SSL certificate mismatch, you must replace the SSL certificate.
For more information, visit Citrix Support.