Learning the Basics of Citrix Web Interface 4.6, Citrix Secure Gateway 3.1 and GoDaddy Wildcard SSL Certificate Part 2 of 3

March 8, 2009

Secure Gateway, Web Interface

In Part 1 of this 3-part article, you learned how to:

  • Install Windows prerequisites for Web Interface
  • Install Web Interface 4.6
  • Install the Access Management Console Update for Web Interface 4.6
  • Create and configure a basic XenApp site
  • Test unsecure access to published applications

In Part 2 of this article, you will learn how to:

  • Generate an SSL certificate request
  • Purchase a Wildcard SSL Certificate from GoDaddy
  • Complete the certificate request
  • Test secure access to published applications
  • Export the SSL Certificate’s Private Key for use on additional servers

Why use a Wildcard SSL Certificate?

  1. Using GoDaddy’s pricing of a Standard SSL Certificate for one year for $29.99 and a Standard Wildcard SSL Certificate for one year for $199.99, you need seven sub-domains to get your investment back.
  2. If you do not know what your sub-domains will be named and you know you will have several, it may make sense to use one.
  3. You just don’t want to be bothered with keeping track of which certificate files go with which sub-domain on what server.
  4. You just want to be cool and impress your friends at parties (pretty lame reason but some of us need something to impress the women).

When you completed Part 1, you were at the server’s desktop (Figure 1).

Figure 1

Click Start, Administrative Tools, Internet Information Services (IIS) Manager (Figure 2).

Figure 2

Expand Web Sites (Figure 3).

Figure 3

Select Default Web Site (Figure 4).

Figure 4

Right-click Default Web Site and then click Properties (Figure 5).

Figure 5

Click the Directory Security tab and then click Server Certificate… (Figure 6).

Figure 6

The Web Server Certificate Wizard starts.  Click Next (Figure 7).

Figure 7

Select Create a new certificate and click Next (Figure 8).

Figure 8

Click Next (Figure 9).

Figure 9

You can type in any name for the new certificate on Figure 10.  I use *.domain.tld or for my certificate, *.websterslab.com.  Leave the Bit length at 1024.  Click Next.

Figure 10

You can enter anything for Organization and Organizational unit (Figure 11).  They should either be very easy for you to remember or should be documented in your Change Control processes.  If you ever need to rekey your certificate, you will need this information.  If what you enter during the GoDaddy rekeying process does not match what you enter here, the rekeying will not be allowed by GoDaddy.   I prefer to keep everything simple and enter *.domain.tld or for my certificate, both fields will be *.websterslab.com.

Enter your Organization, Organizational unit and click Next.

Figure 11

For Your Site’s Common Name, enter *.domain.tld or for my certificate, *.websterslab.com (Figure 12).

Figure 12

Select your Country/Region, enter your State/province, City/locality and click Next (Figure 13).

Figure 13

By default, the Certificate Request File Name is saved as c:\certreq.txt.  The IIS Certificate Wizard allows you to specify a different location and filename of your choice.  Either enter a new file name or accept the default and then click Next (Figure 14).

Figure 14

Verify the information on the Request File Summary page is correct.  If anything needs to be corrected, click Back and make any necessary corrections.  If all the information is correct, click Next (Figure 15).

Figure 15

Click Finish to complete the certificate request and generate the file (Figure 16).

Figure 16

Leave the Default Web Site Properties page up.  Click Start, Run and type in the path and filename for your certificate request file.  If you accepted the default, type in c:\certreq.txt and press Enter (Figure 17).  This will open the file in Notepad (Figure 18).

Figure 17

Figure 18

Press Ctrl-A to select the entire certificate request and then press Ctrl-C to copy the file contents to the server’s clipboard (Figure 19).  Do not change anything in this file.  Doing so will invalidate the certificate request process and you will need to start over.

Figure 19

Exit Notepad, start Internet Explorer and go to http://www.godaddy.com (Figure 20).

Figure 20

Log in to your account, click on SSL Certificates and then under Certificates, click on SSL Certificates (Figure 21).

Figure 21

Scroll down and under Standard SSL, select Unlimited Subdomains, then the number of years you wish your certificate to be valid and then click Add (Figure 22).

Figure 22

Yu can safely bypass all the extra crap GoDaddy tries to push onl you.  Nothing else is needed for your Wildcard SSL Certificate to work with the Citrix Secure Gateway and Web Interface.

Scroll down to the bottom of the screen and click “No thanks.  Continue to checkout…” (Figure 23).

Figure 23

Enter any promo codes you have, select your payment method and check the box by I have read and agree to the terms of the Universal Terms of Service and then click Checkout Now (Figure 24).

Figure 24

Enter the information for your payment method and complete that process (No, I’m not showing you mine!).

When the payment process is complete, click Back to My Account (Figure 25).

Figure 25

Once back on the main account page, you should have an alert showing to start the process to setup your SSL Certificate.  Click the link Click here to begin! (Figure 26).

Figure 26

On the Managing Secure Certificates screen, click the link to “Use Credit” for your new certificate (Figure 27).

Figure 27

The Set up New Certificate wizard starts.  Click Continue (Figure 28).

Figure 28

Back on the Managing Secure Certificates Control Panel, click Manage Certificate (Figure 29).

Figure 29

A new browser window opens up.  Select your new certificate, select the option that begins “With a third-party…” and click Request Certificate (Figure 30).

Figure 30

Verify the information is correct in the Step 1 section (Figure 31).

Figure 31

In the Step 2 section, click in the CSR box and press Ctrl-V (Figure 32).  This pastes your certificate request information.   Select Microsoft IIS in the dropdown box for “Please select your server software…“, check the box to say “I warrant and represent…” and then click Continue.

Figure 32

Confirm the information is correct and click Confirm (Figure 33).  If any of the information is incorrect, click Back and make the necessary corrections.

Figure 33

Click Done (Figure 34).

Figure 34

You will now receive an e-mail from GoDaddy with instructions for downloading your SSL Certificate.  While I was going through this process, the e-mail was received in less than 10 seconds.  When I clicked Done in Figure 34, I was taken to the Secure Certificate Services control panel (Figure 35).  Click the link under Common Name (should be *.domain.tld).

Figure 35

The Manage Certificates screen shows you the information for your Wildcard SSL Certificate along with options to Re-key, Revoke or Reissue the certificate (Figure 36).

Figure 36

Exit all browser windows and click the link in the e-mail you received from GoDaddy to download your certificate files.  Make sure that IIS is selected and click Continue (Figure 37).

Figure 37

Click the link to Download Signed Certificate (Figure 38).

Figure 38

Save the Zip file to a location available to your Web Interface/Citrix Secure Gateway server (Figure 39).

Figure 39

Click Done (Figure 40).

Figure 40

Exit your Internet browser.

Click Start, Run, type in MMC and press Enter (Figures 41 and 42).

Figure 41

Figure 42

Click File and Add/Remove Snap-in… (Figure 43).

Figure 43

Click Add… (Figure 44).

Figure 44

Click Certificates and then click Add (Figure 45).

Figure 45

Select Computer account and click Next (Figure 46).

Figure 46

Select Local computer and click Finish (Figure 47).

Figure 47

Click Close to close the Add Standalone Snap-in dialog (Figure 48).

Figure 48

Click OK to return to the main MMC Window (Figure 49).

Figure 49

Click the “+” to expand the Certificates folder (Figure 50).

Figure 50

Right-click on Intermediate Certification Authorities, choose All Tasks and then click Import… (Figure 51).

Figure 51

Click Next (Figure 52).

Figure 52

Click Browse… (Figure 53).

Figure 53

Change the “Files of type” dropdown to PKCS #7 Certificates (*.spc, *.p7b) (Figure 54).

Figure 54

Browse to the location you extracted and saved your certificate files, select your certificate file and click Open (Figure 55).

Figure 55

Click Next (Figure 56).

Figure 56

Select Place all certificates in the following store and make sure the Certificate store is Intermediate Certification Authorities  and click Next (Figure 57).

Figure 57

Click Finish on the Certificate Import Wizard (Figure 58).

Figure 58

Click OK (Figure 59).

Figure 59

Click the “+” next to Trusted Root Certification Authorities and then click Certificates (Figure (60).

Figure 60

Scroll down, right-click Go Daddy Class 2 Certification Authority and select Properties (Figure 61).

Figure 61

Select Disable all purposes for this certificate and click OK (Figure 62).

Figure 62

Click back on the Default Web Site Properties dialog and then click Server Certificate… (Figure 63).

Figure 63

Click Next (Figure 64).

Figure 64

Select Process the pending request and install the certificate and click Next (Figure 65).

Figure 65

Click Browse… to locate your certificate file (Figure 66).

Figure 66

Change the Files of type to All files (*.*) (Figure 67).

Figure 67

Find and select your GoDaddy “crt” certificate file and then click Next (Figure 68).

Figure 68

Citrix Secure Gateway will process all incoming SSL traffic on Port 443 so the SSL Port that IIS uses must be changed.  Type in 444 and click Next (Figure 69).

Note:  This is one of the most common problems that keeps the Citrix Secure Gateway from working.   Citrix Secure Gateway MUST have Port 443 reserved for its use.  IIS MUST use a different Port for SSL.

Figure 69

Verify the information on the Certificate Summary page is correct and click Next (Figure 70).

Figure 70

Click Finish (Figure 71).

Figure 71

Click OK (Figure 72).

Figure 72

To verify the SSL Certificate was installed properly, you may need to create an entry in your Web Interface server’s Host file.  Click Start, Run and type in Notepad %systemroot%\system32\drivers\etc\hosts and press Enter (Figure 73).

Figure 73

Go to the bottom of the Hosts file and type, press Tab and type in the Fully Qualified Domain Name your users will use to access the Citrix Secure Gateway.  For me that is citrix.websterslab.com (Figure 74).

Figure 74

Save the changes and exit Notepad.

Open your Internet browser and go to https://FullyQualifiedDomainName:444.  For me, I went to https://citrix.websterslab.com:444 (Figure 75).  Note the SSL Padlock icon.

Figure 75

Click the Padlock icon and click View certificates. (Figure 76).

Figure 76

Click each of the three tabs (Figures 77, 78 and 79).

Figure 77

Figure 78

Figure 79

Click OK and then log in to the Web Interface (Figure 80).

Figure 80

You can test running any published application if you wish.  Log off the Web Interface and exit your Internet browser.  Go back to the MMC console where you had added the Certificates snap-in (Figure 81).

Figure 81

You will now learn how to export your certificate with its private key so the SSL Certificate can be installed on other servers.

Click the “+” by Personal and then click on Certificates (Figure 82).

Figure 82

Right-click your Wildcard certificate, select All Tasks and then click Export (Figure 83).

Figure 83

Click Next (Figure 84).

Figure 84

Select Yes, export the private key and then click Next (Figure 85).

Figure 85

Select Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above).  Do NOT select Delete the private key if the export is successful.  Click Next (Figure 86).

Figure 86

Enter and verify a password (Figure 87).  Make sure you remember this password.  You will need it when importing into another server.

Figure 87

Name and save the PFX file and then click Next (Figure 88).

Figure 88

Click Finish (Figure 89).

Figure 89

Click OK on The export was successful dialog.

Exit the MMC console without saving changes and exit IIS Manager.

In Part 2 of this article, you learned how to:

  • Generate an SSL certificate request
  • Purchase a Wildcard SSL Certificate from GoDaddy
  • Complete the certificate request
  • Test secure access to published applications
  • Export the SSL Certificate’s Private Key for use on additional servers

In Part 3 you will learn to install and configure the Citrix Secure gateway and test internal and external secure access to published applications.

, , ,

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

No comments yet.

Leave a Reply