Post date: Dec 04, 2012 1:57:49 PM
How to Create a Certificate for an Access Gateway Deployed Behind a Load Balancer
Document ID: CTX116758 / Created On: 10-Apr-2008 / Updated On: 31-Oct-2008
Average Rating: not yet rated
This article is no longer maintained, its content refers to a discontinued product and may be out of date. Refer to the Discontinued Product Lifecycle or Active Citrix Product pages for more information on support schedules.
Summary
This article describes how to create a certificate for a Citrix Access Gateway deployed behind a load balancer.
Requirements
One of the ways to create certificates for Access Gateways deployed behind a load balancer is to use OpenSSL.
You can download OpenSSL for Windows at the following site: OpenSSL
You would also need C++ re-distributable files if you want to use OpenSSL which can be obtained at the following URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en
Procedure
1. Create a private key using OpenSSL using the following command from the \OpenSSL\bin directory:
C:\OpenSSL\bin > openssl genrsa -out privateserver.key 1024
Output:
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........................................++++++
................................................++++++
e is 65537 (0x10001)
2. Create the Certificate Signing Request (CSR) using the following command from the \OpenSSL\bin directory:
C:\OpenSSL\bin>openssl req -new -key privateserver.key -out server.csr -outform PEM
OpenSSL prompts you to enter details for the certificate. Press Enter after each prompt:
Output:
Loading ‘screen’ into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <two-letter code>
State or Province Name (full name) [Some-State]: <state or province name>
Locality Name (eg, city) [ ]: <city name>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <organization name>
Organizational Unit Name (eg, section) [ ]: <organizational unit name>
Common Name (eg, YOUR name) [ ]: <the FQDN of your loadbalancer>
Email Address [ ]: <administrator's email address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [ ]: <password>
An optional company name [ ]:
3. Combine the signing certificate with the private key.
a. When the server.csr file is created, send this file to your Certificate Authority (CA) to be signed.
b. Once you receive your certificate from the CA, you must combine the certificate with the private key.
Use a text editor to open the signed certificate and the private key. Combine the unencrypted private key with the signed certificate in the PEM file format.
The file contents should look similar to the following:
-----BEGIN RSA PRIVATE KEY-----
<Unencrypted Private Key>
-----END RSA Private KEY-----
-----BEGIN CERTIFICATE-----
<Signed Certificate>
-----END CERTIFICATE-----
Save and name the PEM file; for example, AccessGateway.pem.
4. Upload the .PEM certificate to the Access Gateway by using the “Upload a .pem private key and signed certificate” option in the Access Gateway Administration Tool.