How to Use IIS to Acquire SSL Certificates for XenServer or Citrix Hypervisor
Article ID: CTX128617
Updated On:
Description
This article describes how to create a certificate in IIS and transfer it to a XenServer or Citrix Hypervisor server. This article applies to Citrix Hypervisor 8.1 or earlier.
Instructions
To enable trusted SSL communication for XenServer management through XenCenter, XenDesktop, or any other product, a trusted certificate is required on the XenServer host.
- For Citrix Hypervisor 8.2 and later, do not follow this article. Instead create a separate certificate and key file and use XenCenter or the xe CLI to install the certificate on your server. For more information, see Install a TLS certificate on your server in the product documentation.
- For earlier versions of XenServer, you can use the method described in this article to create a certificate. Note that these steps are not recommended or supported.
Complete the following steps:
Create the certificate (Citrix Hypervisor 8.1 and earlier)
-
Create a site in IIS for requesting or creating certificates.
-
Create a new request for a certificate.
-
If you have an online Certificate Authority (CA), select Send the request immediately to an online certification authority:
-
Type the hostname of the XenServer.
-
Enter an Organization name and Organizational unit.
-
The Common name must match how the server’s name is entered in all connections:
-
Enter the appropriate Country/Region, State/province, and City/locality.
-
Enter the appropriate SSL port:
-
Select the CA to process the request. Ensure you have appropriate rights to submit the request to the CA.
-
Verify request details.
-
Once the certificate is installed, approved, and so on, click View Certificate and examine the Details tab. Click Copy to File.
-
The Certificate Export Wizard begins.
-
Select Yes, export the private key.
-
Select Include all certificates in the certification path if possible and Enable strong protection.
-
Enter a password for the export. REMEMBER THIS PASSWORD. It is required when converting the certificate in OpenSSL.
-
Save the file.
-
Click Finish on the final screen:
- Download and install OpenSSL:
- You can use the open-source utility OpenSSL to perform the conversion from PFX to PEM. You can download a Windows 32-bit distribution of OpenSSL here: Win32 OpenSSL.
- You might also need C++ re-distributable files if you want to use OpenSSL which can be obtained from Microsoft downloads.
- Once OpenSSL is installed, perform the conversion on the previously exported PFX file. Here is an example command on the openssl command line: pkcs12 -in <pfx-file-location> -out <pem-file-destination> -nodes -nocerts
Install the certificate on your Citrix Hypervisor server (Citrix Hypervisor 8.1 and earlier)
The process describes how to overwrite the existing certificate on the XenServer or Citrix Hypervisor server. This method is not officially supported.
To transfer the certificate file to XenServer, use WinSCP. A portable version is available for download here: http://portableapps.com/apps/internet/winscp_portable
-
Open WinSCP and start a session to your XenServer:
-
Browse to the location with your PEM certificate in the left pane:
-
Xapi-ssl.pem is the certificate currently in use on your XenServer. Rename this file to something like “xapi-ssl.pem.original”.
-
To copy your new certificate, drag your PEM certificate from the left pane into the right pane. A screen prompts you for verification:
-
Rename the copied PEM file to “xapi-ssl.pem”.
-
For security, modify the properties of the file to Read Only as shown:
-
From the XenServer console, issue a Restart command for the xapissl service:
-
Browse to your XenServer over https to verify your certificate is installed properly:
Issue/Introduction
To enable trusted SSL communication for XenServer management through XenCenter, XenDesktop, or any other product, a trusted certificate is required on the XenServer host.
Additional Information
