• Learning the Basics of Citrix Web Interface 4.6, Citrix Secure Gateway 3.1 and GoDaddy Wildcard SSL Certificate Part 2 of 3

    March 8, 2009

    Secure Gateway, Web Interface

    In Part 1 of this 3-part article, you learned how to:

    • Install Windows prerequisites for Web Interface
    • Install Web Interface 4.6
    • Install the Access Management Console Update for Web Interface 4.6
    • Create and configure a basic XenApp site
    • Test unsecure access to published applications

    In Part 2 of this article, you will learn how to:

    • Generate an SSL certificate request
    • Purchase a Wildcard SSL Certificate from GoDaddy
    • Complete the certificate request
    • Test secure access to published applications
    • Export the SSL Certificate’s Private Key for use on additional servers

    Why use a Wildcard SSL Certificate?

    1. Using GoDaddy’s pricing of a Standard SSL Certificate for one year for $29.99 and a Standard Wildcard SSL Certificate for one year for $199.99, you need seven sub-domains to get your investment back.
    2. If you do not know what your sub-domains will be named and you know you will have several, it may make sense to use one.
    3. You just don’t want to be bothered with keeping track of which certificate files go with which sub-domain on what server.
    4. You just want to be cool and impress your friends at parties (pretty lame reason but some of us need something to impress the women).

    When you completed Part 1, you were at the server’s desktop (Figure 1).

    Figure 1

    Click Start, Administrative Tools, Internet Information Services (IIS) Manager (Figure 2).

    Figure 2

    Expand Web Sites (Figure 3).

    Figure 3

    Select Default Web Site (Figure 4).

    Figure 4

    Right-click Default Web Site and then click Properties (Figure 5).

    Figure 5

    Click the Directory Security tab and then click Server Certificate… (Figure 6).

    Figure 6

    The Web Server Certificate Wizard starts.  Click Next (Figure 7).

    Figure 7

    Select Create a new certificate and click Next (Figure 8).

    Figure 8

    Click Next (Figure 9).

    Figure 9

    You can type in any name for the new certificate on Figure 10.  I use *.domain.tld or for my certificate, *.websterslab.com.  Leave the Bit length at 1024.  Click Next.

    Figure 10

    You can enter anything for Organization and Organizational unit (Figure 11).  They should either be very easy for you to remember or should be documented in your Change Control processes.  If you ever need to rekey your certificate, you will need this information.  If what you enter during the GoDaddy rekeying process does not match what you enter here, the rekeying will not be allowed by GoDaddy.   I prefer to keep everything simple and enter *.domain.tld or for my certificate, both fields will be *.websterslab.com.

    Enter your Organization, Organizational unit and click Next.

    Figure 11

    For Your Site’s Common Name, enter *.domain.tld or for my certificate, *.websterslab.com (Figure 12).

    Figure 12

    Select your Country/Region, enter your State/province, City/locality and click Next (Figure 13).

    Figure 13

    By default, the Certificate Request File Name is saved as c:\certreq.txt.  The IIS Certificate Wizard allows you to specify a different location and filename of your choice.  Either enter a new file name or accept the default and then click Next (Figure 14).

    Figure 14

    Verify the information on the Request File Summary page is correct.  If anything needs to be corrected, click Back and make any necessary corrections.  If all the information is correct, click Next (Figure 15).

    Figure 15

    Click Finish to complete the certificate request and generate the file (Figure 16).

    Figure 16

    Leave the Default Web Site Properties page up.  Click Start, Run and type in the path and filename for your certificate request file.  If you accepted the default, type in c:\certreq.txt and press Enter (Figure 17).  This will open the file in Notepad (Figure 18).

    Figure 17
    Figure 18

    Press Ctrl-A to select the entire certificate request and then press Ctrl-C to copy the file contents to the server’s clipboard (Figure 19).  Do not change anything in this file.  Doing so will invalidate the certificate request process and you will need to start over.

    Figure 19

    Exit Notepad, start Internet Explorer and go to http://www.godaddy.com (Figure 20).

    Figure 20

    Log in to your account, click on SSL Certificates and then under Certificates, click on SSL Certificates (Figure 21).

    Figure 21

    Scroll down and under Standard SSL, select Unlimited Subdomains, then the number of years you wish your certificate to be valid and then click Add (Figure 22).

    Figure 22

    Yu can safely bypass all the extra crap GoDaddy tries to push onl you.  Nothing else is needed for your Wildcard SSL Certificate to work with the Citrix Secure Gateway and Web Interface.

    Scroll down to the bottom of the screen and click “No thanks.  Continue to checkout…” (Figure 23).

    Figure 23

    Enter any promo codes you have, select your payment method and check the box by I have read and agree to the terms of the Universal Terms of Service and then click Checkout Now (Figure 24).

    Figure 24

    Enter the information for your payment method and complete that process (No, I’m not showing you mine!).

    When the payment process is complete, click Back to My Account (Figure 25).

    Figure 25

    Once back on the main account page, you should have an alert showing to start the process to setup your SSL Certificate.  Click the link Click here to begin! (Figure 26).

    Figure 26

    On the Managing Secure Certificates screen, click the link to “Use Credit” for your new certificate (Figure 27).

    Figure 27

    The Set up New Certificate wizard starts.  Click Continue (Figure 28).

    Figure 28

    Back on the Managing Secure Certificates Control Panel, click Manage Certificate (Figure 29).

    Figure 29

    A new browser window opens up.  Select your new certificate, select the option that begins “With a third-party…” and click Request Certificate (Figure 30).

    Figure 30

    Verify the information is correct in the Step 1 section (Figure 31).

    Figure 31

    In the Step 2 section, click in the CSR box and press Ctrl-V (Figure 32).  This pastes your certificate request information.   Select Microsoft IIS in the dropdown box for “Please select your server software…“, check the box to say “I warrant and represent…” and then click Continue.

    Figure 32

    Confirm the information is correct and click Confirm (Figure 33).  If any of the information is incorrect, click Back and make the necessary corrections.

    Figure 33

    Click Done (Figure 34).

    Figure 34

    You will now receive an e-mail from GoDaddy with instructions for downloading your SSL Certificate.  While I was going through this process, the e-mail was received in less than 10 seconds.  When I clicked Done in Figure 34, I was taken to the Secure Certificate Services control panel (Figure 35).  Click the link under Common Name (should be *.domain.tld).

    Figure 35

    The Manage Certificates screen shows you the information for your Wildcard SSL Certificate along with options to Re-key, Revoke or Reissue the certificate (Figure 36).

    Figure 36

    Exit all browser windows and click the link in the e-mail you received from GoDaddy to download your certificate files.  Make sure that IIS is selected and click Continue (Figure 37).

    Figure 37

    Click the link to Download Signed Certificate (Figure 38).

    Figure 38

    Save the Zip file to a location available to your Web Interface/Citrix Secure Gateway server (Figure 39).

    Figure 39

    Click Done (Figure 40).

    Figure 40

    Exit your Internet browser.

    Click Start, Run, type in MMC and press Enter (Figures 41 and 42).

    Figure 41
    Figure 42

    Click File and Add/Remove Snap-in… (Figure 43).

    Figure 43

    Click Add… (Figure 44).

    Figure 44

    Click Certificates and then click Add (Figure 45).

    Figure 45

    Select Computer account and click Next (Figure 46).

    Figure 46

    Select Local computer and click Finish (Figure 47).

    Figure 47

    Click Close to close the Add Standalone Snap-in dialog (Figure 48).

    Figure 48

    Click OK to return to the main MMC Window (Figure 49).

    Figure 49

    Click the “+” to expand the Certificates folder (Figure 50).

    Figure 50

    Right-click on Intermediate Certification Authorities, choose All Tasks and then click Import… (Figure 51).

    Figure 51

    Click Next (Figure 52).

    Figure 52

    Click Browse… (Figure 53).

    Figure 53

    Change the “Files of type” dropdown to PKCS #7 Certificates (*.spc, *.p7b) (Figure 54).

    Figure 54

    Browse to the location you extracted and saved your certificate files, select your certificate file and click Open (Figure 55).

    Figure 55

    Click Next (Figure 56).

    Figure 56

    Select Place all certificates in the following store and make sure the Certificate store is Intermediate Certification Authorities  and click Next (Figure 57).

    Figure 57

    Click Finish on the Certificate Import Wizard (Figure 58).

    Figure 58

    Click OK (Figure 59).

    Figure 59

    Click the “+” next to Trusted Root Certification Authorities and then click Certificates (Figure (60).

    Figure 60

    Scroll down, right-click Go Daddy Class 2 Certification Authority and select Properties (Figure 61).

    Figure 61

    Select Disable all purposes for this certificate and click OK (Figure 62).

    Figure 62

    Click back on the Default Web Site Properties dialog and then click Server Certificate… (Figure 63).

    Figure 63

    Click Next (Figure 64).

    Figure 64

    Select Process the pending request and install the certificate and click Next (Figure 65).

    Figure 65

    Click Browse… to locate your certificate file (Figure 66).

    Figure 66

    Change the Files of type to All files (*.*) (Figure 67).

    Figure 67

    Find and select your GoDaddy “crt” certificate file and then click Next (Figure 68).

    Figure 68

    Citrix Secure Gateway will process all incoming SSL traffic on Port 443 so the SSL Port that IIS uses must be changed.  Type in 444 and click Next (Figure 69).

    Note:  This is one of the most common problems that keeps the Citrix Secure Gateway from working.   Citrix Secure Gateway MUST have Port 443 reserved for its use.  IIS MUST use a different Port for SSL.

    Figure 69

    Verify the information on the Certificate Summary page is correct and click Next (Figure 70).

    Figure 70

    Click Finish (Figure 71).

    Figure 71

    Click OK (Figure 72).

    Figure 72

    To verify the SSL Certificate was installed properly, you may need to create an entry in your Web Interface server’s Host file.  Click Start, Run and type in Notepad %systemroot%\system32\drivers\etc\hosts and press Enter (Figure 73).

    Figure 73

    Go to the bottom of the Hosts file and type 127.0.0.1, press Tab and type in the Fully Qualified Domain Name your users will use to access the Citrix Secure Gateway.  For me that is citrix.websterslab.com (Figure 74).

    Figure 74

    Save the changes and exit Notepad.

    Open your Internet browser and go to https://FullyQualifiedDomainName:444.  For me, I went to https://citrix.websterslab.com:444 (Figure 75).  Note the SSL Padlock icon.

    Figure 75

    Click the Padlock icon and click View certificates. (Figure 76).

    Figure 76

    Click each of the three tabs (Figures 77, 78 and 79).

    Figure 77
    Figure 78
    Figure 79

    Click OK and then log in to the Web Interface (Figure 80).

    Figure 80

    You can test running any published application if you wish.  Log off the Web Interface and exit your Internet browser.  Go back to the MMC console where you had added the Certificates snap-in (Figure 81).

    Figure 81

    You will now learn how to export your certificate with its private key so the SSL Certificate can be installed on other servers.

    Click the “+” by Personal and then click on Certificates (Figure 82).

    Figure 82

    Right-click your Wildcard certificate, select All Tasks and then click Export (Figure 83).

    Figure 83

    Click Next (Figure 84).

    Figure 84

    Select Yes, export the private key and then click Next (Figure 85).

    Figure 85

    Select Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above).  Do NOT select Delete the private key if the export is successful.  Click Next (Figure 86).

    Figure 86

    Enter and verify a password (Figure 87).  Make sure you remember this password.  You will need it when importing into another server.

    Figure 87

    Name and save the PFX file and then click Next (Figure 88).

    Figure 88

    Click Finish (Figure 89).

    Figure 89

    Click OK on The export was successful dialog.

    Exit the MMC console without saving changes and exit IIS Manager.

    In Part 2 of this article, you learned how to:

    • Generate an SSL certificate request
    • Purchase a Wildcard SSL Certificate from GoDaddy
    • Complete the certificate request
    • Test secure access to published applications
    • Export the SSL Certificate’s Private Key for use on additional servers

    In Part 3 you will learn to install and configure the Citrix Secure gateway and test internal and external secure access to published applications.

    , , ,

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply