Ask a Question

Advanced Search

Solution ID : SO6839

Last Modified : 05/02/2018

How to move a certificate from IIS5/6 to Citrix Access Gateway 4

Problem

Convert PFX Certificate to PEM Format for Use with Citrix Access Gateway
Use an SSL certificate to secure Citrix Access Gateway
Install certificate onto Critix Access Gateway using Command Line
Move a certificate from IIS5/6 to Citrix Access Gateway 4

Solution


In order to install an SSL server certificate on the Citrix Access Gateway server 4.9 (CAG). The uploaded certificate file must have the following characteristics: 
 
1. The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. 
 
2. The certificate must be in PEM format, a text-based format that is a Base64 encoding of the binary DER format. 
 
3. The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file. 
 
4. Any necessary intermediate certificates must also be appended to the end of the PEM file 
 
Procedure:
 
If you have requested and installed a certificate onto a Windows server using the IIS certificate wizard, you can export that certificate with its private key to a PFX file. In order to import this certificate onto the Access Gateway, you must convert the PFX file to the unencrypted PEM format.
 
Use the open-source utility OpenSSL to perform the conversion from PFX to PEM. You can download a Win32 distribution of OpenSSL here:
 
 
To convert a PFX file to a PEM file and install the certificate on the Citrix Access Gateway server 4.9 , follow these steps on a Windows machine: 
 
1. Download and install the Win32 OpenSSL package from http://gnuwin32.sourceforge.net/packages/openssl.htm 
 
2. Create a folder c:\certs 
 
3. Copy the file yourcert.pfx into the c:\certs folder 
 
4. Open a command prompt
 
5. Change into the GnuWin32\bin directory:
cd %ProgramFiles%\GnuWin32\bin 
 
6. Type the following command to convert the PFX file to an unencrypted PEM file (all on one line):
openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem -nodes 
 
7. When prompted for the import password, enter the password used when exporting the certificate to a PFX file.
You should receive a message that says MAC verified OK
  
8. Point a browser to the Access Gateway administration portal or HTTPS port 9001: https://access-gateway 
 
9. Log on as root. The default password is rootadmin 
 
10. At the top of the page, click the Maintenance link  
 
11. Next to the Upload certificate field, click the Browse button .
 
12. Browse to the c:\certs\cag.pem file
 
13. Click Upload

These instructions are referenced from the following article:
 
Convert PFX Certificate to PEM Format for Use with Citrix Access Gateway CTX106028    
(CTX106028  utilize the specific URL: http://knowledgebase.citrix.com/article/CTX106028 )