Problem Definition
When you purchase an Access Gateway it includes a digital certificate that is not signed by a trusted Certificate Authority. Operating the Access Gateway without a digital certificate signed by a Certificate Authority can subject VPN connections to malicious attacks.
It is recommended that you install a digital X.509 certificate that belongs to your company and is signed by a Certificate Authority on the Access Gateway. Your company can operate as its own Certificate Authority, or you can obtain a digital certificate from a commercial Certificate Authority such as Verisign and Thawte.
There are several issues that can occur when attempting to install a certificate on an Access Gateway. This document offers troubleshooting assistance to address these issues.
Environment
Troubleshooting Methodology
By knowing the certificate requirements on the Access Gateway, troubleshooting the issue is easier.
The Access Gateway accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a text format that is the Base-64 encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded.
Before you can upload a certificate to the Access Gateway, you need to generate a Certificate Signing Request (CSR) and private key. The CSR can be generated using the Certificate Request Generator included in the Access Gateway Administration Tool. The Certificate Request Generator is a wizard that creates a .csr file. When the file is created, it is emailed to the Certificate Authority for signing. After it is signed, it is returned to you and you can be upload it to the Access Gateway.
Digital Certificates and Access Gateway Operation
The Access Gateway uses digital certificates to encrypt and authenticate traffic over a connection. If the digital certificate installed on the Access Gateway is not signed by a Certificate Authority, the traffic is encrypted but not authenticated. A digital certificate must be signed by a Certificate Authority to authenticate the traffic.
When traffic over a connection is not authenticated, the connection can be compromised through a “man in the middle” attack. In such an attack, a third party intercepts the public key sent by the Access Gateway to the Secure Access Client and uses it to impersonate the Access Gateway. As a result, the user unknowingly sends authentication credentials to the attacker, who could then connect to the Access Gateway. A certificate that is signed by a Certificate Authority prevents such attacks.
If the certificate installed on the Access Gateway is not signed by a Certificate Authority, Secure Access users see a security alert when attempting to log on.
Secure Access users see security warnings unless you install a certificate that is signed by a Certificate Authority on the Access Gateway and a corresponding certificate on users’ computers. Users can also disable the Security Alert through the Secure Access Connection Properties dialog box.
Some of the problems that may occur when dealing with Access Gateway and certificates are as follows:
Resolution
Determine if you certificate meets the requirements, make sure you include the full chain. Follow the steps provided above in each example for a resolution.
Additional Information
CTX106028 – Convert PFX Certificate to PEM Format for Use with Citrix Access Gateway
