Common name for generating CSR: apps.sslab.com; Certificate Authority: internal or External, you need credit card if external 🙂 RSA Key file creation. Enable the SSL Feature if it is not enabled – Traffic Management – SSL – Right Click – Enable. Traffic Management – SSL – SSL Files – Keys – Select Create RSA Key.
This article describes how to manually create and install self-signed Server and Root CA test certificates using a Public Key Size greater than 512 bits for implementation between Access Gateway Enterprise Edition, Web Interface, and Presentation Server.
The GUI on the Access Gateway has a tool for creating and installing self-signed test Server and Root CA Certificates available under:
When this link is selected, the Access Gateway prompts the user to provide:
Certificate File Name and Fully Qualified Domain Name:
After the requested information is provided the Access Gateway creates the following seven files under the /nsconfig/ssl directory:
Server Certificate files:
Private Key of the server certificate | company.example.cer.key |
CSR of the server certificate | company.example.cer.req |
Server certificate | company.example.cer.cert |
Certificate Authority (CA) files:
Private Key of the Root CA certificate | company.example.cer-root.key |
CSR of the Root CA certificate | company.example.cer-root.req |
Root CA certificate | company.example.cer-root.cert |
Serial Number of the Certificate | CAserial |
The new self-signed/test server certificate will be displayed under SSL > Certificates:
The limitation of these 6 files, is that its Public Key Size is 512 bits. You can verify that on the GUI by going to SSL >> Certificates, highlight the certificate (such as: company.example.cer) and click Details:
For implementation between the Access Gateway Enterprise Edition, Web Interface and Presentation Server the minimum Public Key Size supported is 1024 bits.
The following procedure describes the necessary steps to manually create and install a self-signed server and root test certificates for the FQDN company.example.com using a Public Key Size greater than 512 bits.
The following are the prerequisites:
Access to the Access Gateway Enterprise Edition’s Graphical User Interface (GUI)
WinSCP or equivalent secure file transfer application
The Access Gateway must have an appropriate license installed for Enterprise or Platinum Edition.
Complete the following procedures:
ROOT CA Private Key
From the GUI, go to SSL > SSL Keys > Create RSA Key. Enter the information for:
Key Filename*
Key Size (bits)* (Enter 1024)
Select Create and then Close.
ROOT CA Certificate Signing Request (CSR)
From the GUI, go to SSL > SSL Certificates > Create Certificate Request.
Enter the information for:
Request File Name*
Key File Name* (Click Browse… and select the private key created in the previous step)
Enter the information under Distinguished Name Fields to reflect a ROOT CA Certificate (Refer following screen shot)
Select Create and then Close.
ROOT CA Certificate
From the GUI, go to SSL > SSL Certificates > Create Certificate.
Enter the information for:
Certificate File Name*
Certificate Type (make sure ROOT-CA is selected)
Certificate Request File Name* (Click Browse… and select the CSR created in the previous step)
Key File Name* (Click Browse… and select the private key created previously)
Select Create and then Close.
Server Private Key
From the GUI, go to SSL > SSL Keys > Create RSA Key. Enter the information for:
Key Filename*
Key Size (bits)* (Enter 1024)
Select Create and then Close.
Server Certificate Signing Request (CSR)
From the GUI, go to SSL > SSL Certificates > Create Certificate Request.
Enter the information for:
Request File Name*
Key File Name* (Click Browse… and select the private key created in the previous step)
Enter the information under Distinguished Name Fields to reflect a Server Certificate (Refer following screen shot)
Select Create and then Close.
Key generator for easeus data recovery. EaseUS Data Recovery 12 Crack. EaseUS Data Recovery 12 Crack & Serial Key is the latest released version of this data recovery software. This software is considered best in the market for data recovery purposes. The software has million of the users over the globe.
Server Certificate
From the GUI, go to SSL > SSL Certificates > Create Certificate.
Enter the information for:
Certificate File Name*
Certificate Type (make sure Server is selected)
Certificate Request File Name* (Click Browse… and select the Server CSR created in the previous step)
CA Certificate File Name* (Click Browse… and select the ROOT CA Certificate created previously)
CA Key File Name* (Click Browse… and select the ROOT CA Private Key created previously)
CA Serial Number File* (Click Browse… and select the file CA serial if present on the appliance or the file ns-root.srl)
If the CA serial file is not present then select the file ns-root.srl which is included by default on any appliance.
Select Install and then Close.
From the GUI, go to SSL > Certificates and click Add.
Enter the information for:
Certificate-Key Pair Name*
Certificate Request File Name* (Click Browse… and select the Server Certificate created previously)
Private Key File Name* (Click Browse… and select the Server Private Key created previously)
Select Install and then Close.
From the GUI, go to SSL > Tools > Manage Certificates / Keys / CSRs > Select the Root CA certificate (company.example_ROOT.cer) > Download and save the file on your local PC.
Download or copy the ROOT CA certificate used to generate the Access Gateway SSL certificate to the desktop of the server running the Web Interface and the Client PC testing the connection.
*Do not double-click the ROOT CA file to import the certificate because this only imports the certificate for the current user. The certificate must be trusted by the Local Computer Account.
On the server running the Web Interface and the Client PC, run mmc.exe.
(Start > Run > mmc.exe)
Go to File > Add/Remove Snap-in.
Click Add and under Add Standalone Snap-in select Certificates andthen select Add.
Select Computer Account and click Next, then click Finish.
Close the Add Standalone Snap-in window and on the Add/Remove Snap-in window click OK.
Go to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates. Right-click the Certificates and click All Tasks > Import.
Follow the instructions of the Certificate Import Wizard to locate the CA ROOT certificate on the desktop and close the MMC snap-in after importing completes.
Verify the certificate trust and name resolution by pointing a web browser to the Fully Qualified Domain Name (FQDN) entered on the Server certificate (https://company.example.com).
The Access Gateway logon page should appear without any certificate errors or warnings.
WinSCP download: http://winscp.net/eng/download.php
PuTTY download: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
This article describes how to create and configure server certificates for SSL Relay.
SSL Relay can be used to secure communication between Web Interface and the XenApp XML server, as well as secure communications from the ICA Client to the server. Regardless of the scenario being used, unique server certificates must be created for each server using SSL Relay.
This article uses an internal domain Certificate Authority to create a certificate template and sign the requests from the XenApp servers.
Note: It is assumed you have a Certificate Authority in place.
To create a new certificate template, open the Certificate Authority Snap-in from Administrative Tools. Right-click and click Manage.
Right-click Web Server and click Duplicate Template.
A dialog box opens prompting for a 2003 or 2008 Enterprise. For this template, select Windows Server 2003 Enterprise for a version 2 template that will be accessible using the Web Enrollment used later in this article.
Name the new certificate template and extend the validity, if desired. In this case, the template is named SSL Relay and the validity is changed to 5 years.
Click the Request Handling tab and select the Allow private key to be exported option.
On the Security tab, ensure domain admins or the account you plan to use for enrollment have rights for enrollment.
Click OK to close the dialog box and close the manage certificates window. For this template to be available, right-click Certificate Templates and select New > Certificate Template to Issue.
Select SSL Relay from the list.
Open Inter​net Explorer from the XenApp server and browse to the Certificate Authority using HTTPS. HTTPS is required for the certificate request.
https://mycertserver.domain.com/certsrv
Select Request a certificate.
Select advanced certificate request.
Select Create and submit a request to this CA.
Select SSL Relay from the template drop-down and enter the details in the form. The name must be the Fully Qualified Domain Name (FQDN) of the XenApp server.
Select Mark key as exportable option and give the certificate a Friendly Name then click Submit.
From the File menu, select Add/Remote Snap-in. Select Certificates and add both the current user and computer certificate stores.
From the current user store, expand Personal > Certificates. Right-click the server certificate that was created in the preceding steps and select all tasks > export.
From the wizard click Next on the first screen, select Yes, export the private key and click Next. On the export file format screen do not update the defaults, click Next. Create a password for the private key and click Next. Choose a file name and save the certificate at any location on the local file system.
After the certificate has been exported, from the Certificates MMC expand the Computer store > Personal > Certificate.
Right-click Certificates and select All Tasks > Import. Browse to the saved location of the PFX file that was exported in the preceding step and import the certificate (Note: Select All Files from the select window). Enter the password created in Step 5 and select Mark this key as exportable option.
Click Next until finish.
Open the SSL Relay Configuration tool from the Start menu under Citrix > Administration Tools. Select Enable SSL Relay and ensure the appropriate certificate is selected from the drop-down list.
From the Connections tab, delete the entry that lists the server IP address. Ensure only the FQDN is remaining.
Ensure the XML Port is listed correctly. In this case, XML is using port 8080 and 1494 is used for ICA. Click OK and reboot the server. Now the server can be used for SSL Relay.
Repeat this process for any server in the farm that requires SSL Relay.