Citrix

How to Convert PFX Certificate to PEM Format for Use with Citrix Access Gateway

  • CTX106028
  • Created On  Feb 23, 2007
  • Updated On  Apr 29, 2014
  • 162 found this helpful
  • Article
  • Topic : Security

Summary

For secure, trusted access you must install an SSL server certificate on the Access Gateway server. The uploaded certificate file must have the following characteristics:

  • The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. For best results, use a commercial CA such as VeriSign, Thawte or GeoTrust.
  • The certificate must be in Privacy Enhanced Mail (PEM) format, a text-based format that is a Base64 encoding of the binary Distinguished Encoding Rules (DER) format.
  • The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file.
  • Any necessary intermediate certificates must also be appended to the end of the PEM file.

Procedure

If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file. To import this certificate onto the Access Gateway, you must convert the PFX file to the unencrypted PEM format.

You can use the open-source utility OpenSSL to perform the conversion from PFX to PEM. You can download a Win32 distribution of OpenSSL here:

http://www.slproweb.com/products/Win32OpenSSL.html

You might also need C++ re-distributable files if you want to use OpenSSL which can be obtained at the following URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en

To convert a PFX file to a PEM file, follow these steps on a Windows machine:

  1. Download and install the Win32 OpenSSL (Win32 OpenSSL v0.9.8i) package from http://www.slproweb.com/products/Win32OpenSSL.html
  2. Create a folder c:\certs and copy the file yourcert.pfx into the c:\certs folder.
  3. Open a command prompt and change into the OpenSSL\bin directory:
    cd %homedrive%\OpenSSL\bin


  4. Type the following command to convert the PFX file to an unencrypted PEM file (all on one line):
    openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes



  1. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK.

  1. Point a browser to the Access Gateway administration portal or HTTPS port 9001: https://access-gateway-server:9001.
  2. Log on as root. The default password is rootadmin.
  3. Click the Maintenance link at the top of the page.
  4. Click the Browse button next to the Upload Private Key + Certificate (.pem) field. Browse to the c:\certs\cag.pem file and click Upload.
  5. Restart the Access Gateway for the new SSL certificate to be applied.

Share your comments or find out more about this topic

Citrix Forums

Languages

N/A

Was this helpful?

Thank you for your feedback!


| Terms of Use | Privacy | Governance