Importing and Installing an Existing Certificate
You can import an existing certificate from a Windows-based computer running Internet Information Services (IIS) or from a computer running the Secure Gateway.
When you export the certificate, make sure you also export the private key. In some cases, you cannot export the private key, which means you cannot install the certificate on Citrix Gateway. If this occurs, use the Certificate Signing Request (CSR) to create a new certificate. For details, see Creating a Certificate Signing Request.
When you export a certificate and private key from Windows, the computer creates a Personal Information Exchange (.pfx) file. This file is then installed on Citrix Gateway as a PKCS#12 certificate.
If you are replacing the Secure Gateway with Citrix Gateway, you can export the certificate and private key from the Secure Gateway. If you are doing an in-place migration from the Secure Gateway to Citrix Gateway, the fully qualified domain name (FQDN) on the application and the appliance must be the same. When you export the certificate from the Secure Gateway, you immediately retire the Secure Gateway, install the certificate on Citrix Gateway, and then test the configuration. The Secure Gateway and Citrix Gateway cannot be running on your network at the same time if they have the same FQDN.
If you are using Windows Server 2003 or Windows Server 2008, you can use the Microsoft Management Console to export the certificate. For more information, see the Windows online Help.
Leave the default values for all the other options, define a password, and save the .pfx file to your computer. When the certificate is exported, you then install it on Citrix Gateway.
To install the certificate and private key on Citrix Gateway
-
In the configuration utility, click the Configuration tab and then in the navigation pane, click Citrix Gateway.
-
In the details pane, under Getting Started, click Citrix Gateway wizard.
-
Click Next, select an existing virtual server and then click Next.
-
In Certificate Options, select Install a PKCS#12 (.pfx) file.
-
In PKCS#12 File Name, click Browse, navigate to the certificate and then click Select.
-
In Password, type the password for the private key.
This is the password you used when converting the certificate to PEM format.
-
Click Next to finish the Citrix Gateway wizard without changing any other settings.
When the certificate is installed on Citrix Gateway, the certificate appears in the configuration utility in the SSL > Certificates node.
To create a private Key
-
In the configuration utility, on the Configuration tab, in the navigation pane, click SSL.
-
In the details pane, under SSL Keys, click Create RSA Key.
-
In Key Filename, type the name of the private key or click Browse to navigate to an existing file.
-
In Key Size (Bits), type the size of the private key.
-
In Public Exponent Value, select F4 or 3.
The public exponent value for the RSA key. This is part of the cipher algorithm and is required for creating the RSA key. The values are F4 (Hex: 0x10001) or 3 (Hex: 0x3). The default is F4.
-
In Key Format, select PEM or DER. Citrix recommends PEM format for the certificate.
-
In PEM Encoding Algorithm, select DES or DES3.
-
In PEM Passphrase and Verify Passphrase, type the password, click Create and then click Close.
Note: To assign a passphrase, the Key Format must be PEM and you must select the encoding algorithm.
To create a DSA private key in the configuration utility, click Create DSA Key. Follow the same steps above to create the DSA private key.