This document provides instructions for generating a Certificate Signing Request (CSR) for Citrix Secure Gateway using IIS7 Manager. If you are unable to use these instructions for your server, Symantec recommends that you contact Citrix.
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
To generate the Certificate Signing Request CSR for Microsoft IIS 7.0, perform the following steps:
NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size.
- Choose Start > Administrative Tools > Internet Information Services (IIS) Manager
- In the IIS Manager, choose your server name
- In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.
- To begin the process of requesting a new certificate, from the Actions pane, choose Create Certificate Request option as shown below:
- The first screen of the wizard asks for details regarding the new site:
- All the fields need to be filled in. In order to fill in this form consider:
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.symantec.com" or "symantec.com".
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Locality or City (L): The Locality field is the city or town name
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Country Name (C): Use the two-letter code without punctuation for country, for example: US
NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment.
For example, a certificate for the domain "symantec.com" will receive a warning if accessing a site named "www.symantec.com"
or "secure.symantec.com", because "www.symantec.com" and "secure.symantec.com" are different from "symantec.com".
- Click Next to continue.
- The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. Select a key-bit length of 2048.
- Click Next to continue.
- Finally, provide a filename to which to save the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. To change the location of where you wish to save the CSR, select the box with the 3 periods next to the file name.
- Verify your CSR
- Proceed with Enrollment.
NOTE: During the enrollment open the file you created from the above steps and copy the contents into the enrollment form
when requested for the CSR.
During the verification process, Symantec may need to contact your organization. Be sure to provide an email address,
phone number and fax number that will be checked and responded to quickly. These fields are not part of the certificate.
Once the certificate has been issued, follow the steps from this link to install the certificate on your server: SO6298