Create a certificate signing request
To provide secure communications using SSL or TLS, a server certificate is required on Citrix Gateway. Before you can upload a certificate to Citrix Gateway, you need to generate a Certificate Signing Request (CSR) and private key. You use the Create Certificate Request included in the Citrix Gateway wizard or the configuration utility to create the CSR. The Create Certificate Request creates a .csr file that is emailed to the Certificate Authority (CA) for signing and a private key that remains on the appliance. The CA signs the certificate and returns it to you at the email address you provided. When you receive the signed certificate, you can install it on Citrix Gateway. When you receive the certificate back from the CA, you pair the certificate with the private key.
Important: When you use the Citrix Gateway wizard to create the CSR, you must exit the wizard and wait for the CA to send you the signed certificate. When you receive the certificate, you can run the Citrix Gateway wizard again to create the settings and install the certificate. For more information about the Citrix Gateway wizard, see Configuring Settings by Using the Citrix Gateway Wizard.
Create a CSR by using the Citrix Gateway wizard
- In the configuration utility, click the Configuration tab and then in the navigation pane, click Citrix ADC Gateway.
- In the details pane, under Getting Started, click Citrix ADC Gateway wizard.
- Follow the directions in the wizard until you come to the Specify a server certificate page.
- Click Create a Certificate Signing Request and complete the fields. Note: The fully qualified domain name (FQDN) does not need to be the same as the Citrix Gateway host name. The FQDN is used for user logon.
- Click Create to save the certificate on your computer, and then click Close.
- Exit the Citrix Gateway wizard without saving your settings.
Create a CSR by using the Citrix ADC GUI
You can also use the Citrix ADC GUI to create a CSR, without running the Citrix Gateway wizard.
- Navigate to Traffic Management > SSL > SSL Files and select Create Certificate Signing Request (CSR).
- Complete the settings for the certificate and then click Create.
After you create the certificate and private key, email the certificate to the CA, such as Thawte or Verisign.
For detailed procedure, see Create a certificate signing request.
Install the signed certificate on Citrix Gateway
When you receive the signed certificate from the Certificate Authority (CA), pair it with the private key on the appliance and then install the certificate on Citrix Gateway.
Pair the signed certificate with a private key by using the GUI
- Copy the certificate to Citrix Gateway to the folder nsconfig/ssl by using a Secure Shell (SSH) program such as WinSCP.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand SSL > Certificates.
- In the SSL Certificate page, click Get Started.
- In the details pane, click Install.
- In Certificate-Key Pair Name, type the name of the certificate.
- In Certificate File Name, click Appliance.
- Navigate to the certificate, click Select, and then click Open.
- In Key File Name, click Appliance. The name of the private key is the same name as the Certificate Signing Request (CSR). The private key is located on Citrix Gateway in the directory \nsconfig\ssl.
- Choose the private key, and then click Open.
- If the certificate is PEM-format, in Password, type the password for the private key.
- If you want to configure notification for when the certificate expires, select Notify When Expires.
- In Notification Period, type the number of days, click Create, and then click Close.
Bind the certificate and private key to a virtual server by using the GUI
After you create and link a certificate and private key pair, bind it to a virtual server.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Virtual Servers.
- In the details pane, click a virtual server, and then click Open.
- On the Certificates tab, under Available, select a certificate, click Add, and then click OK.
Bind the certificate and private key to a virtual server by using the CLI
At the command prompt, type;
bind ssl vserver <vServerName> -certkeyName <string> -ocspCheck ( Mandatory | Optional )
<!--NeedCopy-->
Example:
bind ssl vserver TestClient -CertkeyName ag51.xm.nsi.test.com -CA -ocspCheck Mandatory
<!--NeedCopy-->
Note: oscpCheck is optional if OCSP check is not required for device certificate.
Unbind test certificates from the virtual server by using the GUI
After you install the signed certificate, unbind any test certificates that are bound to the virtual server. You can unbind test certificates using the configuration utility.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Virtual Servers.
- In the details pane, click a virtual server, and then click Open.
- On the Certificates tab, under Configured, select the test certificate, and then click Remove.