How to Manually Create and Install Self-Signed Server and Root Certificate Authority Test Certificates Using a Public Key Size Greater than 512 Bits

How to Manually Create and Install Self-Signed Server and Root Certificate Authority Test Certificates Using a Public Key Size Greater than 512 Bits

book

Article ID: CTX129243

calendar_today

Updated On:

Description

This article describes how to manually create and install self-signed Server and Root CA test certificates using a Public Key Size greater than 512 bits for implementation between Access Gateway Enterprise Edition, Web Interface, and Presentation Server.
The GUI on the Access Gateway has a tool for creating and installing self-signed test Server and Root CA Certificates available under:

SSL >> SSL Certificates >> Create and Install a Server Test Certificate:

User-added image

When this link is selected, the Access Gateway prompts the user to provide: 
Certificate File Name and Fully Qualified Domain Name:

User-added image

After the requested information is provided the Access Gateway creates the following seven files under the /nsconfig/ssl directory:

User-added image  

Server Certificate files:

Private Key of the server certificate

company.example.cer.key

CSR of the server certificate

company.example.cer.req

Server certificate

company.example.cer.cert

Certificate Authority (CA) files:

Private Key of the Root CA certificate

company.example.cer-root.key

CSR of the Root CA certificate

company.example.cer-root.req

Root CA certificate

company.example.cer-root.cert

Serial Number of the Certificate

CAserial

The new self-signed/test server certificate will be displayed under SSL > Certificates:

User-added image

The limitation of these 6 files, is that its Public Key Size is 512 bits. You can verify that on the GUI by going to SSL >> Certificates, highlight the certificate (such as: company.example.cer) and click Details:

User-added image

For implementation between the Access Gateway Enterprise Edition, Web Interface and Presentation Server the minimum Public Key Size supported is 1024 bits.
The following procedure describes the necessary steps to manually create and install a self-signed server and root test certificates for the FQDN company.example.com using a Public Key Size greater than 512 bits.

Note: Certificates created with this procedure are not suitable for use with virtual server on NetScaler Gateway because of enhanced security in the current versions of the Citrix Receiver for all platforms. See CTX101990 - Error: Server certificate received is not trusted (SSL Error 61).

Instructions

The following are the prerequisites:

  • Access to the Access Gateway Enterprise Edition’s Graphical User Interface (GUI)

  • WinSCP or equivalent secure file transfer application

  • The Access Gateway must have an appropriate license installed for Enterprise or Platinum Edition.

Complete the following procedures:

  1. Create ROOT CA files: Private Key, Certificate Signing Request (CSR) and ROOT CA Certificate

  2. Create SERVER Files: Private Key, Certificate Signing Request (CSR) and Server Certificate

  3. ROOT CA certificate Installation on Web Interface server and the Client PC testing the connection

  4. Add the Certificates snap-in for the Local Computer account

Create ROOT CA files: Private Key, Certificate Signing Request (CSR) and ROOT CA Certificate

ROOT CA Private Key

  1. From the GUI, go to SSL > SSL Keys > Create RSA Key. Enter the information for:
    Key Filename*
    Key Size (bits)* (Enter 1024)

  2. Select Create and then Close.
    User-added image

 ROOT CA Certificate Signing Request (CSR)

  1. From the GUI, go to SSL > SSL Certificates > Create Certificate Request.

  2. Enter the information for:
    Request File Name*
    Key File Name* (Click Browse… and select the private key created in the previous step)

  3. Enter the information under Distinguished Name Fields to reflect a ROOT CA Certificate (Refer following screen shot)

  4. Select Create and then Close.

    User-added image

 ROOT CA Certificate

  1. From the GUI, go to SSL > SSL Certificates > Create Certificate.

  2. Enter the information for:
    Certificate File Name*
    Certificate Type (make sure ROOT-CA is selected)
    Certificate Request File Name* (Click Browse… and select the CSR created in the previous step)
    Key File Name* (Click Browse… and select the private key created previously)

  3. Select Create and then Close.

    User-added image

Create SERVER Files: Private Key, Certificate Signing Request (CSR) and Server Certificate

Server Private Key

  1. From the GUI, go to SSL > SSL Keys > Create RSA Key. Enter the information for:
    Key Filename*
    Key Size (bits)* (Enter 1024)

  2. Select Create and then Close.

     User-added image

Server Certificate Signing Request (CSR)

  1. From the GUI, go to SSL > SSL Certificates > Create Certificate Request.

  2. Enter the information for:
    Request File Name*
    Key File Name* (Click Browse… and select the private key created in the previous step)

  3. Enter the information under Distinguished Name Fields to reflect a Server Certificate (Refer following screen shot)

  4. Select Create and then Close.

    User-added image

Server Certificate

  1. From the GUI, go to SSL > SSL Certificates > Create Certificate.

  2. Enter the information for:
    Certificate File Name*  
    Certificate Type (make sure Server  is selected)
    Certificate Request File Name*  (Click Browse… and select the Server CSR created in the previous step)
    CA Certificate File Name*  (Click Browse… and select the ROOT CA Certificate created previously)
    CA Key  File Name*  (Click Browse… and select the ROOT CA Private Key created previously)
    CA Serial Number File* (Click Browse… and select the file CA serial if present on the appliance or the file ns-root.srl)

    User-added image

    Or

    User-added image

    *CA serial file was created when the tool Create and Install a Server Test Certificate was used.

    If the CA serial file is not present then select the file ns-root.srl which is included by default on any appliance.

  3. Select Install and then Close.

    User-added image

Install the Server Certificate on the NetScaler

  1. From the GUI, go to SSL > Certificates and click Add.

  2. Enter the information for:
    Certificate-Key Pair Name*
    Certificate Request File Name* (Click Browse… and select the Server Certificate created previously)
    Private Key File Name* (Click Browse… and select the Server Private Key created previously)

  3. Select Install and then Close.

    User-added image

Export the ROOT CA file

  1. From the GUI, go to SSL > Tools > Manage Certificates / Keys / CSRs > Select the Root CA certificate (company.example_ROOT.cer) > Download and save the file on your local PC.

  2. Select Close. 

    User-added image

ROOT CA certificate Installation on Web Interface server and the Client PC testing the connection

  1. Download or copy the ROOT CA certificate used to generate the Access Gateway SSL certificate to the desktop of the server running the Web Interface and the Client PC testing the connection.  
    *Do not double-click the ROOT CA file to import the certificate because this only imports the certificate for the current user. The certificate must be trusted by the Local Computer Account.

  2. On the server running the Web Interface and the Client PC, run mmc.exe.
    (Start > Run > mmc.exe)

    User-added image

Add the Certificates snap-in for the Local Computer account

  1. Go to File > Add/Remove Snap-in.

    User-added image

  2. Click Add and under Add Standalone Snap-in select Certificates and then select Add.

    User-added image

  3. Select Computer Account and click Next, then click Finish.

    User-added image

    User-added image

  4. Close the Add Standalone Snap-in window and on the Add/Remove Snap-in window click OK.

    User-added image

  5. Go to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates. Right-click the Certificates and click All Tasks > Import.

    User-added image

  6. Follow the instructions of the Certificate Import Wizard to locate the CA ROOT certificate on the desktop and close the MMC snap-in after importing completes.

    User-added image

    User-added image

    User-added image

    User-added image

    User-added image

  7. Verify the certificate trust and name resolution by pointing a web browser to the Fully Qualified Domain Name (FQDN) entered on the Server certificate (https://company.example.com).

    The Access Gateway logon page should appear without any certificate errors or warnings.

Issue/Introduction

This article describes how to manually create and install a self-signed Server and Root CA test certificates using a Public Key Size greater than 512 bits for an implementation between Access Gateway Enterprise Edition, Web Interface and Presentation Server

Additional Information

WinSCP download: http://winscp.net/eng/download.php 
PuTTY download: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Powered by Wolken Software