Summary
This document describes how to install Windows Certificate Services and perform the tasks required to install a certificate for use with Citrix EdgeSight software. Use these procedures if you do not intend to obtain and use a certificate from a recognized commercial certificate authority (CA).
The following procedures must be completed to ensure the proper operation of your new Certificate Services installation. Each section builds on the tasks completed in the previous section.
Installing Windows Certificate Services
Create an Offline Certificate Request File using the Web Site Certificate Wizard
Submit the Offline Certificate Request to the Certificate Server using the Web Enrollment Site
Install the Web Site Certificate
EdgeSight Agent configuration. Note: This information only applies to Citrix EdgeSight for Endpoints and Citrix EdgeSight for Presentation Server.
Installing Windows Certificate Services
This section contains the steps required for installing Certificate Services on your Windows Server. Following these instructions results in a working instance of Windows Certificate Services. You can create a new server to fill the role of Certificate Server or this process can be carried out on your EdgeSight Web Server.
Before performing this procedure, review Certificate Services Best Practices.
1. Open the Control Panel.
2. In the list of available items, double-click Add or Remove Programs and choose Add/Remove Windows Components from the left menu.
3. The Windows Component Wizard is displayed. Select the check box for Certificate Services.
4. You may see a message describing machine name change consequences once the CA is installed. Read this message and click Yes to continue. Then, click Next in the Windows Component Wizard dialog.
5. If you already have another Enterprise CA installed on your network, accept the default choice of Enterprise subordinate CA and click Next. If this is the first Enterprise CA, choose Enterprise root CA and click Next.
6. Enter a name for the new Certificate Server and click Next. (The distinguished name suffix is automatically supplied.)
7. The wizard asks if you want to store the Certificate configuration information in a shared location. Follow steps 8 through 11 to create and name the new share location. To continue without sharing the Certificate configuration settings, click Next and go to step 12.
8. Open Windows Explorer and create a new folder to save the configuration settings to (for example, “C:\CertConfig”).
9. Right-click the new folder and select Sharing and Security from the menu. The folder Properties dialog is displayed. Select the Share this folder radio button, then click OK to create the share.
10. Return to the Windows Component Wizard, select the Store configuration information in a shared folder check box, and browse for or enter the path to the share created in the previous step.
11. Locate and select the folder to store the shared configuration settings in and click OK. Click Next in the Windows Component Wizard.
12. If Internet Information Services (IIS) is running, a message appears requesting that the service be stopped during the installation of the Certificate Service. Click Yes to continue.
13. If prompted, click OK in the dialog requesting that you insert the Windows Server installation disk or browse for the installation files if they can be located on a network.
14. Browse for or enter the server installation file path. Click OK to begin installing Certificate Services.
15. When you see the dialog stating “You have successfully completed the Windows Component Wizard,” click Finish.
Create an Offline Certificate Request File using the Web Site Certificate Wizard
Perform the following steps on the Web server to generate the certificate request file:
1. From the Start menu (or from the Control Panel), go to Administrative Tools and select Internet Information Services.
2. In the IIS Manager console, expand the Web Sites node and select the Default Web Site node. Right-click the Default Web Site node and select Properties from the pop-up menu. The Default Web Site Properties dialog is displayed.
3. Select the Directory Security tab.
4. On the Directory Security tab, click the Server Certificate button in the Secure Communications frame.
5. Click Next on the Welcome to the Web Server Certificate Wizard page.
6. On the Server Certificate page, select the Create a new certificate option and click Next.
7. On the Delayed or Immediate Request page, note that the only option available to you is the Prepare the request now, but send it later. The reason for this is that the Web server is not a member of a domain that has an enterprise CA. Accept the default option and click Next.
8. On the Name and Security Settings page, accept the default values and click Next.
9. On the Organization Information page, enter the name of your organization in the Organization field and enter the name of your organizational unit in the Organizational Unit field. Click Next.
10. On the Your Site’s Common Name page, enter the name of the Web site in the Common name field. This is an extremely important entry. The name you put into this text box must be exactly the same as the name that users supply to access the Web site. Click Next.
11. On the Geographical Information page, enter your State/province and City/locality in the applicable fields and click Next.
12. On the Certificate Request File Name page, accept the default location for the certreq.txt file and click Next. (Note that the file is located in the root of the C:\ drive. You will retrieve that file later when making a certificate request to the Certificate Server).
13. Review the information on the Request File Summary page and click Next.
14. Click Finish on the Completing the Web Server Certificate Wizard page.
15. Click OK on the Default Web Site Properties dialog.
Submit the Offline Certificate Request to the Certificate Server using the Web Enrollment Site
The next step is to use the certificate request file created by the Web Site Certificate Wizard to request a Web site certificate from the enterprise CA installed on the domain controller. To accomplish this task, you must open the Certificate Server’s Web enrollment site and send the request.
Perform the following steps to send the Web site certificate request to the enterprise CA:
1. Open Internet Explorer on the Web server machine and enter http://ipaddr/certsrv in the address bar, where ipaddr is the IP address of the Certificate Server. Press Enter.
2. Enter domain administrator credentials in the authentication dialog box and click OK.
3. On the Welcome page of the Web enrollment site, click the Request a certificate link at the bottom of the page.
4. On the Request a Certificate page, click the Advanced certificate request link.
5. On the Advanced Certificate Request page, click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file link.
6. On the Submit a Certificate Request or Renewal Request page, copy the contents of the certreq.txt file into the Saved Request field. (Open the certreq.txt file and then press CTRL+A to select all the text. Then press CTRL+C to copy all the text to the clipboard. Go to the Web browser window, click in the Saved Request field and press CTRL+V to paste the contents of the certreq.txt file into the text box.) Select the Web Server template from the Certificate Template list. Click Submit.
7. On the Certificate Issued page, click the Download certificate link.
8. In the File Download dialog box, click Save. Save the file to the Desktop. Click Close.
9. On the Certificate Issued page, click the Download certificate chain link.
10. In the File Download dialog box, click Save. Save the file to the Desktop. Click Close.
11. Close Internet Explorer.
Install the Web Site Certificate
Once the Web site certificate and CA certificate files have been downloaded from the Web enrollment site, the next step is to install these certificates on the Web server. The Web site certificate is installed first, followed by the CA certificate.
Perform the following steps to install the Web site certificate on the Web server:
1. From the Start menu (or from the Control Panel), go to Administrative Tools and select Internet Information Services.
2. In the IIS Manager console, expand the Web Sites node and select the Default Web Site node. Right click the Default Web Site node and select Properties from the pop-up menu. The Default Web Site Properties dialog is displayed.
3. Select the Directory Security tab.
4. On the Directory Security tab, click Server Certificate.
5. Click Next on the Welcome to the Web Server Certificate Wizard page.
6. On the Pending Certificate Request page, select the Process the pending request and install the certificate option and click Next.
7. On the Process a Pending Request page, click the Browse button and locate the .cer file for the Web site certificate.
8. On the SSL Port page, accept the default SSL port of 443 (You can specify a different port number as required. In any case, the port number is used later in the EdgeSight Agent configuration dialog, so make a note if it). Click Next.
9. On the Certificate Summary page, review your settings and click Next.
10. Click Finish on the Completing the Web Server Certificate Wizard page.
11. On the Directory Security tab, click View Certificate.
12. In the Certificate dialog box, select the General tab. Note that the Issued to name is www.msfirewall.org. This is the common name on the certificate. Notice that there is a red “X” on the certificate at the top of the dialog box.
13. Select the Certification Path tab. Notice that there is a red “X” on the root CA. This indicates that the CA certificate of the root CA is not in the Trusted Root Certification Authorities list on the Web server. This problem will be fixed in the next procedure.
14. Click OK in the Certificate dialog box.
15. Click OK in the Default Web Site Properties dialog box.
The Root CA certificate must be installed in the Trusted Root Certification Authorities store on the Web server. This allows the Web server to trust the Web site certificate installed on the IIS Web site. This process will also be performed on the client systems accessing the Web server. Perform the following steps to install the root CA certificate into the computer’s certificate store:
1. Click Start and then click the Run command.
2. In the Run dialog box, enter mmc in the Open text box and click OK.
3. In the Console1 window, select Add/Remove Snap-in from the File menu.
4. In the Add/Remove Snap-in dialog, click Add.
5. In the Add Standalone Snap-in dialog box, select the Certificates entry from the Snap-in list and click Add.
6. On the Certificates snap-in page, select the Computer account option and click Next.
7. On the Select Computer page, select the Local computer option and click Finish.
8. Click Close in the Add Standalone Snap-in dialog box.
9. Click OK in the Add/Remove Snap-in dialog box.
10. Expand the Certificates node, then expand the Trusted Root Certification Authorities node and click on the Certificates node. Right-click on the Certificates node, select All Tasks and click Import.
11. Click Next on the Welcome to the Certificate Import Wizard page.
12. On the File to Import page, click Browse and locate the certnew.p7b file you downloaded from the Web enrollment site. Click Next.
13. On the Certificate Store page, accept the default setting, Place all certificates in the following store, and click Next.
14. Click Finish on the Completing the Certificate Import page.
15. Click OK in the Certificate Import Wizard dialog box informing you that the import was successful.
Note: This information only pertains to Citrix EdgeSight for Endpoints.
You must configure EdgeSight Agents to use SSL when communicating with EdgeSight Server. This configuration can be performed on existing agents or when installing new agents. Note that if SSL support is enabled, all agent to server communications must be over SSL. If an agent attempts to connect to an SSL-enabled server without using SSL, an error is generated.
Configuring Existing EdgeSight Agents to Use SSL
Use the Citrix Monitoring Agent to specify the use of SSL in the connection of existing EdgeSight Agents to the EdgeSight Server. This process must be performed on each computer running the EdgeSight Agent.
1. Open the Control Panel.
2. Open the Citrix System Monitoring Agent.
3. Verify the address of the EdgeSight Server and the SSL port number selected in step 8 of Install the Web Site Certificate. Select the Use SSL encryption check box.
4. Click OK.
Configuring New EdgeSight Agents to Use SSL
If you have not yet installed agents, you can specify that SSL is to be enabled during the agent installation process. When installing an EdgeSight Agent using the command line, set the CONNECTION_FLAGS argument to a value of 1 to enable SSL, as shown in the following example:
Msiexec /i EdgeSightEPAgent.msi /l logfile.log /q COMPANY=Mycompany DEPARTMENT=Mydept SERVER_NAME=Myserver CONNECTION_FLAGS=1
If you are installing an agent through the user interface, select the Use SSL check box on the Network Settings screen.
For detailed installation instructions, see the Citrix EdgeSight Installation Guide.
More Information
CTX111114 – How to Enable SSL on the EdgeSight Monitoring Agent After Installation
