This article describes how to generate files that will be sent to the Trusted Certificate Authority (CA) to obtain valid SSL certificate for VDI-in-a-Box appliance. The steps defined in this article apply to VDI-in-a-Box 5.0, 5.1, and 5.2.
Note: In version 5.3, VDI-in-a-Box introduced a web-based interface to manage SSL certificates. More information on this UI can be found in VDI-in-a-Box section of edocs.citrix.com under Manage SSL Certificates.
VDI-in-a-Box 5.0 or newer server
SSH utility like PuTTY or SecureCRT
SFTP utility like WinSCP, scp or FileZilla
The VDI-in-a-Box appliances ships with a self-signed SSL Certificate that is not trusted by Web browsers and devices. The experience varies by Web browser but the best user experience can be accomplished by installing a valid and trusted SSL Certificate. Along with a better user experience, a trusted SSL Certificate can also overcome some connectivity issues with the Citrix Receiver in certain types of environments.
Download and unzip the attached file.
Use the SFTP utility (such as FileZilla) to copy the two script files to /home/kvm/kvm directory on the VDI-in-a-Box appliance.
Execute the following two commands from /home/kvm/kvm folder:
The command cd /home/kvm/kvm ensures that you are in the right place to perform the following steps:
chmod 777 sslcertrequest.sh chmod 777 sslcertimport.sh
Run the scripts using the following syntax:
This action creates a certificate request file certreq.csr and stores it under /home/kvm/kvm/vdimgrkeystore folder. You can give this certreq.csr file to your CA to get the certificates in the .crt format.
Save the .crt file to /home/kvm/kvm/vdimrkeystore and then run the second script:
This action imports the certificates into the keystore. Ensure to take a backup of your current keystore and then replace it with the new keystore with all your certificates. At the end of the script, Tomcat will be restarted and you can test the Website using the same FQDN for which you generated the script without any certificate related errors.
Note: Having two keystorePassword lines in the server.xml file might cause Tomcat to fail when starting. Ensure there is only one instance of the keystorePassword. As for ViaB 5.2 or later, you must remove an extra line after running the sslcertimport.sh.
<Sample server.xml> ---------- 66 <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 67 ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" 68 keystoreFile="conf/.keystore" keystorePass="citrix" 69 keystorePass="changeit" 70 maxThreads="150" scheme="https" secure="true" 71 clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/> ----------
Windows users might use utilities such as PuTTY or SecureCRT to SSH into the console. Macintosh and Linux users can use the built-in Terminal application to start SSH sessions.
Open the SSH application or Terminal instance.
Connect to the VDI-in-a-Box appliance using the DNS name or IP address. Use the default credentials:
kvm / kaviza123
This section covers the steps required to generate the files that will be sent to the Trusted CA. These files will be created using the Java keytool. Refer to http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html for more information about this utility.
Use the mkdir utility to create a keystore directory in /home/kvm:
Use the cd utility to change to the keystore directory:
Use the keytool utility to generate a private key on the VDI-in-a-Box virtual appliance. Replace hostname in the alias command with your VDI-in-a-Box server hostname:
keytool –genkey –alias hostname –keyalg RSA –keysize 2048 –keystore kmgr.keystore
Select a password and confirm the same (must be at least 6 characters).
Fill the required fields and click Enter after each line. When prompted to confirm the information, type Yes and then click Enter.
Note: The first item, “What is your first and last name?” is equivalent to the Common Name (CN) field in other key generation tools. This must be in the form of a valid hostname (such as vdi.company.com); otherwise, the Trusted CA rejects the Certificate Signing Request (CSR).
Click Enter to use the same password set in Step 2.
Run the keytool utility again to create a CSR. This file will be saved to the current directory (/home/kvm/kvm/keystore) and will be sent to the Trusted CA. Replace hostname in the alias option with your VDI-in-a-Box server hostname:
keytool –certreq –alias hostname –file kmgr.csr –keystore kmgr.keystore
Type the keystore password set in the preceding section.
Use the ls utility to verify both kmgr.csr and kmgr.keystore files exist.
Download and install your favorite SFTP utility, such as WinSCP or FileZilla.
There are many free utilities available and FileZilla is used in this example.
Connect using the SFTP protocol to the VDI-in-a-Box virtual appliance IP address or hostname.
Use the credentials: kvm / kaviza123
Browse to the /home/kvm/kvm/keystore directory on the VDI-in-a-Box server and transfer or copy the file to your local computer.
Requesting an SSL Certificate from a Trusted CA
A valid SSL Certificate can be obtained from most Trusted CA. Each CA and certificate will have a different chain; most of them will include intermediate certificates in order to complete the chain. The list of CAs includes, but is not limited to GoDaddy, GeoTrust, VeriSign, Thawte, and DigiCert.
The SSL Certificate instructions are different for each CA. Refer to the CA documentation on how to upload a CSR and download an SSL Certificate. Most CAs allow customers to either upload the CSR file or paste the contents of the CSR file into an upload window.
The following screen shot shows how a kmgr.csr file looks like in a text editor: