This article describes how to create a certificate using OpenSSL in combination with a Windows Certificate Authority that can be used with a XenServer 7.1 CU2 or XenServer 7.0 host

To enable trusted TLS communication between Citrix Hypervisor and Citrix Virtual Apps and Desktops, a trusted certificate is required on the Citrix Hypervisor host.

• For Citrix Hypervisor 8.2 and later, do not follow this article. Instead create a separate certificate and key file and use XenCenter or the xe CLI to install the certificate on your server. For more information, see Install a TLS certificate on your server  in the product documentation.
• For earlier versions of XenServer, you can use the method described in this article to create a certificate. This method is similar to CTX128617 - How to Use IIS to Acquire SSL Certificates for XenServer, except OpenSSL is used to generate the certificate requests. Note that these steps are not recommended or supported.

This method can be scripted to easily replace certificates after expiration, and also gives the ability to store the certificate key pair. If a Citrix Hypervisor server requires rebuilding, there is no need to repeat the request process. Simply upload the archived key pair to the server.

The following steps simulate creating a certificate for a Citrix Hypervisor server named “server1” in the domain “domain.com”. The Certificate Authority is named CA1 on server DOMAINCA. The password used for the private key pair is “citrixpass”.

Instructions

Following are the requirements:

• OpenSSL Win32

• Microsoft Certificate Authority

Complete the following procedure:

1. Install OpenSSL on a workstation or server. Ensure that the user performing the certificate request has adequate permissions to request and issue certificates.

2. Create a configuration file (req.conf) for the certificate request:

   [req]
   distinguished_name = req_distinguished_name
   req_extensions = v3_req
   prompt = no
   [req_distinguished_name]
   C = US
   ST = VA
   L = SomeCity
   O = MyCompany
   CN = server1.example.com
   [v3_req]
   keyUsage = keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth
   subjectAltName = @alt_names
   [alt_names]
   DNS.1 = server1.example.com

   Ensure there are no whitespaces at the end of the lines. Adjust Common name, Organization, Country, State, and Location to reflect your information. If you want to verify your certificate through a browser, ensure that you include the server hostname as a Subject Alternate Name (SAN). 

3. Create the certificate request and private key:

   openssl req -newkey rsa:2048 -keyout xenserver1prvkey.pem -nodes -out server1.req -config req.conf

    

   For more specifics on creating the request, refer to OpenSSL req commands.

4. Submit the request to Windows Certificate Authority using CertReq:
   certreq -submit -binary -attrib "CertificateTemplate:WebServer" -config DOMAINCA\CA1 server1.req server1.cer
   Windows Certificate Authorities only export certificates in Base64 or Binary encoding. Base64 is the default, so binary encoding requires the extra switch -binary.
   For full CertReq syntax, refer to CertReq Command Line Reference

5. Convert the issued certificate to PEM format:
   openssl x509 -inform der -in server1.cer -out server1.pem

6. Merge the issued certificate and private key into Pkcs12 format.
   openssl pkcs12 -export -inkey server1prvkey.pem -in server1.pem -out server1.pfx -passout pass:citrixpass

7. Convert the Pkcs12 key pair into a PEM keypair for importing into XenServer.
   openssl pkcs12 -in server1.pfx -out server1keypair.pem -nodes -password pass:citrixpass

8. For Citrix Hypervisor 8.1 and earlier, there is no supported mechanism for installing new certificates in the Citrix Hypervisor server. You can follow the steps in CTX128617 - How to Use IIS to Acquire SSL Certificates for XenServer, but these steps are not recommended or supported.

• Install a TLS certificate on your server in the Citrix Hypervisor 8.2 product documentation.
• Install a TLS certificate on your server in the XenCenter product documentation.