In Part 1 of this 3-part article, you learned how to:
- Install Windows prerequisites for Web Interface
- Install Web Interface 4.6
- Install the Access Management Console Update for Web Interface 4.6
- Create and configure a basic XenApp site
- Test unsecure access to published applications
In Part 2 of this article, you will learn how to:
- Generate an SSL certificate request
- Purchase a Wildcard SSL Certificate from GoDaddy
- Complete the certificate request
- Test secure access to published applications
- Export the SSL Certificate’s Private Key for use on additional servers
Why use a Wildcard SSL Certificate?
- Using GoDaddy’s pricing of a Standard SSL Certificate for one year for $29.99 and a Standard Wildcard SSL Certificate for one year for $199.99, you need seven sub-domains to get your investment back.
- If you do not know what your sub-domains will be named and you know you will have several, it may make sense to use one.
- You just don’t want to be bothered with keeping track of which certificate files go with which sub-domain on what server.
- You just want to be cool and impress your friends at parties (pretty lame reason but some of us need something to impress the women).
When you completed Part 1, you were at the server’s desktop (Figure 1).
Click Start, Administrative Tools, Internet Information Services (IIS) Manager (Figure 2).
Expand Web Sites (Figure 3).
Select Default Web Site (Figure 4).
Right-click Default Web Site and then click Properties (Figure 5).
Click the Directory Security tab and then click Server Certificate… (Figure 6).
The Web Server Certificate Wizard starts. Click Next (Figure 7).
Select Create a new certificate and click Next (Figure 8).
Click Next (Figure 9).
You can type in any name for the new certificate on Figure 10. I use *.domain.tld or for my certificate, *.websterslab.com. Leave the Bit length at 1024. Click Next.
You can enter anything for Organization and Organizational unit (Figure 11). They should either be very easy for you to remember or should be documented in your Change Control processes. If you ever need to rekey your certificate, you will need this information. If what you enter during the GoDaddy rekeying process does not match what you enter here, the rekeying will not be allowed by GoDaddy. I prefer to keep everything simple and enter *.domain.tld or for my certificate, both fields will be *.websterslab.com.
Enter your Organization, Organizational unit and click Next.
For Your Site’s Common Name, enter *.domain.tld or for my certificate, *.websterslab.com (Figure 12).
Select your Country/Region, enter your State/province, City/locality and click Next (Figure 13).
By default, the Certificate Request File Name is saved as c:\certreq.txt. The IIS Certificate Wizard allows you to specify a different location and filename of your choice. Either enter a new file name or accept the default and then click Next (Figure 14).
Verify the information on the Request File Summary page is correct. If anything needs to be corrected, click Back and make any necessary corrections. If all the information is correct, click Next (Figure 15).
Click Finish to complete the certificate request and generate the file (Figure 16).
Leave the Default Web Site Properties page up. Click Start, Run and type in the path and filename for your certificate request file. If you accepted the default, type in c:\certreq.txt and press Enter (Figure 17). This will open the file in Notepad (Figure 18).
Press Ctrl-A to select the entire certificate request and then press Ctrl-C to copy the file contents to the server’s clipboard (Figure 19). Do not change anything in this file. Doing so will invalidate the certificate request process and you will need to start over.
Exit Notepad, start Internet Explorer and go to http://www.godaddy.com (Figure 20).
Log in to your account, click on SSL Certificates and then under Certificates, click on SSL Certificates (Figure 21).
Scroll down and under Standard SSL, select Unlimited Subdomains, then the number of years you wish your certificate to be valid and then click Add (Figure 22).
Yu can safely bypass all the extra crap GoDaddy tries to push onl you. Nothing else is needed for your Wildcard SSL Certificate to work with the Citrix Secure Gateway and Web Interface.
Scroll down to the bottom of the screen and click “No thanks. Continue to checkout…” (Figure 23).
Enter any promo codes you have, select your payment method and check the box by I have read and agree to the terms of the Universal Terms of Service and then click Checkout Now (Figure 24).
Enter the information for your payment method and complete that process (No, I’m not showing you mine!).
When the payment process is complete, click Back to My Account (Figure 25).
Once back on the main account page, you should have an alert showing to start the process to setup your SSL Certificate. Click the link Click here to begin! (Figure 26).
On the Managing Secure Certificates screen, click the link to “Use Credit” for your new certificate (Figure 27).
The Set up New Certificate wizard starts. Click Continue (Figure 28).
Back on the Managing Secure Certificates Control Panel, click Manage Certificate (Figure 29).
A new browser window opens up. Select your new certificate, select the option that begins “With a third-party…” and click Request Certificate (Figure 30).
Verify the information is correct in the Step 1 section (Figure 31).
In the Step 2 section, click in the CSR box and press Ctrl-V (Figure 32). This pastes your certificate request information. Select Microsoft IIS in the dropdown box for “Please select your server software…“, check the box to say “I warrant and represent…” and then click Continue.
Confirm the information is correct and click Confirm (Figure 33). If any of the information is incorrect, click Back and make the necessary corrections.
Click Done (Figure 34).
You will now receive an e-mail from GoDaddy with instructions for downloading your SSL Certificate. While I was going through this process, the e-mail was received in less than 10 seconds. When I clicked Done in Figure 34, I was taken to the Secure Certificate Services control panel (Figure 35). Click the link under Common Name (should be *.domain.tld).
The Manage Certificates screen shows you the information for your Wildcard SSL Certificate along with options to Re-key, Revoke or Reissue the certificate (Figure 36).
Exit all browser windows and click the link in the e-mail you received from GoDaddy to download your certificate files. Make sure that IIS is selected and click Continue (Figure 37).
Click the link to Download Signed Certificate (Figure 38).
Save the Zip file to a location available to your Web Interface/Citrix Secure Gateway server (Figure 39).
Click Done (Figure 40).
Exit your Internet browser.
Click Start, Run, type in MMC and press Enter (Figures 41 and 42).
Click File and Add/Remove Snap-in… (Figure 43).
Click Add… (Figure 44).
Click Certificates and then click Add (Figure 45).
Select Computer account and click Next (Figure 46).
Select Local computer and click Finish (Figure 47).
Click Close to close the Add Standalone Snap-in dialog (Figure 48).
Click OK to return to the main MMC Window (Figure 49).
Click the “+” to expand the Certificates folder (Figure 50).
Right-click on Intermediate Certification Authorities, choose All Tasks and then click Import… (Figure 51).
Click Next (Figure 52).
Click Browse… (Figure 53).
Change the “Files of type” dropdown to PKCS #7 Certificates (*.spc, *.p7b) (Figure 54).
Browse to the location you extracted and saved your certificate files, select your certificate file and click Open (Figure 55).
Click Next (Figure 56).
Select Place all certificates in the following store and make sure the Certificate store is Intermediate Certification Authorities and click Next (Figure 57).
Click Finish on the Certificate Import Wizard (Figure 58).
Click OK (Figure 59).
Click the “+” next to Trusted Root Certification Authorities and then click Certificates (Figure (60).
Scroll down, right-click Go Daddy Class 2 Certification Authority and select Properties (Figure 61).
Select Disable all purposes for this certificate and click OK (Figure 62).
Click back on the Default Web Site Properties dialog and then click Server Certificate… (Figure 63).
Click Next (Figure 64).
Select Process the pending request and install the certificate and click Next (Figure 65).
Click Browse… to locate your certificate file (Figure 66).
Change the Files of type to All files (*.*) (Figure 67).
Find and select your GoDaddy “crt” certificate file and then click Next (Figure 68).
Citrix Secure Gateway will process all incoming SSL traffic on Port 443 so the SSL Port that IIS uses must be changed. Type in 444 and click Next (Figure 69).
Note: This is one of the most common problems that keeps the Citrix Secure Gateway from working. Citrix Secure Gateway MUST have Port 443 reserved for its use. IIS MUST use a different Port for SSL.
Verify the information on the Certificate Summary page is correct and click Next (Figure 70).
Click Finish (Figure 71).
Click OK (Figure 72).
To verify the SSL Certificate was installed properly, you may need to create an entry in your Web Interface server’s Host file. Click Start, Run and type in Notepad %systemroot%\system32\drivers\etc\hosts and press Enter (Figure 73).
Go to the bottom of the Hosts file and type 127.0.0.1, press Tab and type in the Fully Qualified Domain Name your users will use to access the Citrix Secure Gateway. For me that is citrix.websterslab.com (Figure 74).
Save the changes and exit Notepad.
Open your Internet browser and go to https://FullyQualifiedDomainName:444. For me, I went to https://citrix.websterslab.com:444 (Figure 75). Note the SSL Padlock icon.
Click the Padlock icon and click View certificates. (Figure 76).
Click each of the three tabs (Figures 77, 78 and 79).
Click OK and then log in to the Web Interface (Figure 80).
You can test running any published application if you wish. Log off the Web Interface and exit your Internet browser. Go back to the MMC console where you had added the Certificates snap-in (Figure 81).
You will now learn how to export your certificate with its private key so the SSL Certificate can be installed on other servers.
Click the “+” by Personal and then click on Certificates (Figure 82).
Right-click your Wildcard certificate, select All Tasks and then click Export (Figure 83).
Click Next (Figure 84).
Select Yes, export the private key and then click Next (Figure 85).
Select Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above). Do NOT select Delete the private key if the export is successful. Click Next (Figure 86).
Enter and verify a password (Figure 87). Make sure you remember this password. You will need it when importing into another server.
Name and save the PFX file and then click Next (Figure 88).
Click Finish (Figure 89).
Click OK on The export was successful dialog.
Exit the MMC console without saving changes and exit IIS Manager.
In Part 2 of this article, you learned how to:
- Generate an SSL certificate request
- Purchase a Wildcard SSL Certificate from GoDaddy
- Complete the certificate request
- Test secure access to published applications
- Export the SSL Certificate’s Private Key for use on additional servers
In Part 3 you will learn to install and configure the Citrix Secure gateway and test internal and external secure access to published applications.