| Article | Topic | : | Licensing |
This article contains information about installing an intermediate certificate on an Access Gateway Enterprise Edition appliance.
Experience in installing and binding a certificate-key pair to a virtual server (VServer) on an Access Gateway appliance would be helpful in performing this task. Refer to the Knowledge Center article CTX112724 – Citrix Access Gateway Enterprise Edition Administrator's Guide for detailed instruction about installing and binding certificate-key pair the a VServer.
Many Certificate Authorities (CAs) such as VeriSign, use a complex certificate hierarchy. This means that the certificates form a chain similar to the following:
Root CA | +----------- Intermediate CA | +----------------------- End-Entity (Server) Certificate
If the intermediate certificates are not included in the key store of the clients, then Web browser of the clients accessing the Access Gateway appliance might display a warning message stating that the certificate presented by the device they are accessing is not trusted. You can overcome this issue by configuring the Access Gateway appliance to present the intermediate certificates along with the server certificate during the Secure Socket Layer (SSL) handshake process.
In case of some Certificate Authorities, the Intermediate CA has been split into a Primary and Secondary Intermediate CA. If this is the case, then the certificates form a chain similar to the following:
Root CA | +------ Primary Intermediate CA |+-------------- Secondary Intermediate CA | +----------------------- End-Entity (Server) Certificate
To install an intermediate certificate on an Access Gateway Enterprise Edition appliance, complete the following procedure:
Using a secure file transfer utility such as WinSCP, transfer the intermediate certificate to the /nsconfig/ssl directory of the Access Gateway Enterprise Edition appliance.
Log on to the Configuration utility of the appliance.
Expand the SSL node.
Click Certificates.
On the SSL Certificates page, click Add.
Specify the appropriate values in the various fields of the Install Certificate dialog box. The following screenshot displays the sample values for your reference:
Click Install.
On the SSL Certificates page, select the server certificate to which you want to link the intermediate certificate.
If there are both primary and secondary intermediate certificates, link the server certificate to the secondary intermediate certificate. The secondary intermediate certificate later needs to be linked to the primary intermediate certificate.
Click Link.
From the CA Certificate Name list, select the required intermediate certificate, as shown in the following screen shot:
Click OK.
To install an intermediate certificate from the command line interface of an Access Gateway Enterprise Edition appliance, complete the following procedure:
Using a secure file transfer utility, such as WinSCP, transfer the intermediate certificate to the /nsconfig/ssl directory of the Access Gateway Enterprise Edition appliance.
Connect to the appliance by using an SSH utility.
Run the following command to add the certificate:
add ssl certkey <Certificate_Name> –cert <Cert_File_Name>
Run the following command to link the signed server certificate to the intermediate certificate:
link ssl certKey <Server_Certificate_Name> <Intermediate_Certificate_Name>