Summary
This article describes how to install an intermediate certificate on Access Gateway Enterprise Edition.
Requirements
You should have already successfully installed and bound a certificate/key pair to a virtual server running on the Access Gateway. Details on performing this step can be found in CTX112724 – Citrix Access Gateway Enterprise Edition Administrator's Guide.
Background
Many Certificate Authorities (CAs) such as VeriSign use a complex certificate signing hierarchy. This means that the certificate chain is as follows:
rootCA (root CA)
|
+----------- MyIntermediateCert (intermediate CA)
|
+----------------------- MyServerCert (end-entity (server) certificate)
If the intermediate certificates are not included in the clients' keystore, clients accessing the Access Gateway may be warned that the certificate presented by the device they are accessing is not trusted. You can overcome this by configuring the Access Gateway to present the intermediate certificates along with the server certificate during the SSL handshake.
Procedure
You can perform this procedure using either the command line or the GUI.
Through the command line:
1. Using a file transfer tool such as WinSCP, transfer the applicable intermediate certificates to the /nsconfig/ssl directory on the Access Gateway.
2. Add the certificate using the following command:
add ssl certkey <certificate_name> –cert <cert_filename>
For example:
add ssl certkey MyIntermediateCert –cert intermediate.crt
3. Link your signed server certificate to the intermediate certificate that signed the server certificate using the following command:
link ssl certKey MyServerCert MyIntermediateCert
Through the GUI:
1. Log on to the Configuration Utility and navigate to SSL > Certificates.
2. Click Add and type a certificate name and the location of the certificate installed on your client system. The Key Filename and Password fields are not required. Refer to the following screen shot:
3. Once the intermediate certificate has been installed, link the server certificate to the intermediate certificate. Select your server certificate from the list of installed certificates, click Link, and choose the intermediate certificate you wish to link to. Refer to the following screen shot:
