SSL Certificates Installation Instruction - Citrix Secure Gateway 1.12 / 2.0 for Solaris
发布日期:2015-01-01Installing a Server Certificate
You can install a server certificate on the Secure Gateway server using the
ctxcertmgr command. You install a certificate from the response file that you
receive from the CA. Server certificates are installed in the /var/CTXSssl/certs
directory.
How you install a certificate depends upon whether you used ctxcertreq to
generate the certificate request or not.
If the Certificate Request Is Generated Using ctxcertreq
If you use ctxcertreq to generate a certificate request, ctxcertreq generates a private
key and prompts you for a password to protect the file. When you receive the
signed certificate from the CA, you need to install the certificate on the Secure
Gateway server and match it to the private key and password.
To do this, you use ctxcertmgr to install the certificate and include the -response
option. The -response option indicates that the certificate is a response to a
certificate request generated using ctxcertreq. A new certificate is created and
stored on the Secure Gateway server.
To install a server certificate requested using ctxcertreq
1. Log on as the root user at the Secure Gateway server.
2. At the command prompt, type:
ctxcertmgr -response filename [ -dbpassword db-password ]
where filename specifies the certificate file supplied by the CA.
The following table describes the options:
Example.Installing the certificate
Using ctxcertreq , a new certificate request file is generated with the identifier.
citrix.. A private key is also generated and the password .secret. specified to
protect the file. The new certificate is received from the CA.this file is called
.cert.pem. and it is saved in the /tmp/certs directory on the Secure Gateway server.
To add the certificate to the Secure Gateway server and match it to the private key
and password, type:
ctxcertmgr -response /tmp/certs/cert.pem
You are prompted to enter the db-password .secret..
If the password entered is valid, the newly signed server certificate is imported into
the Secure Gateway certificate store as /var/CTXSssl/certs/citrix.pem.
Option Usage
-response Specifies the certificate is a response to a certificate request generated using
ctxcertreq.
-dbpassword Specifies the password used to protect the certificate on the Secure Gateway
server. This is the database password you supplied when you ran ctxcertreq. If
you include the -dbpassword option, you must use the db-password
parameter to specify the new password, which should be a maximum of 255
characters in length.
Note that this option is used only if you are including commands in a shel script;
otherwise you are prompted for the password. Using -dbpassword displays the
password on the terminal and enters it into the user.s command line history.
If the Certificate Request Is not Generated Using ctxcertreq
If you generated the certificate request using a tool other than ctxcertreq , use
ctxcertmgr with the -import option to install the certificate.
" To install a server certificate not requested using ctxcertreq
1. Log on as the root user at the Secure Gateway server.
2. At the command prompt, type:
ctxcertmgr -import identifier -filename filename [-format format ]
[ -keyfilename key-filename ] [ -dbpassword db-password ]
[ -filepassword [ file-password ]
The following table describes the options:
Option Usage
-import Adds a certificate to the Secure Gateway server. Use the identifier parameter to
give your certificate a unique label. This label is used to easily identify the
certificate in future.
-filename Specifies the certificate file supplied by the CA, where filename is the location of
the file. If the CA supplies the certificate as two separate files (one file containing
the private key, the other containing plain text information about the certificate)
use the -filename option to specify the location of the file containing plain text
information
-format Specifies the format of the certificate file supplied by the CA. You can import
PEM, NET, DER, PKCS12, and MKS file formats. If you do not specify a format,
the system attempts to auto-detect the format.if it cannot detect the format, an
error message appears.
-keyfilename Specifies the location of the file containing the private key. If the CA supplies the
certificate as two separate files (one file containing the private key, the other
containing plain text information about the certificate), use the keyfilename
parameter to specify the location of the file containing the private key. Note that,
in this case, you use the -filename option to specify the location of the file
containing plain text information.
-dbpassword Specifies a new password to protect the certificate on the Secure Gateway
server. If you include the -dbpassword option, you must use the db-
password parameter to specify the new password. This can be no larger than
255 characters.
-filepassword Specifies the password that the CA uses to protect the certificate file. When a CA
sends you a certificate, the certificate is protected using a password. You need
this password to extract the certificate from the file. The CA may supply this
password in a separate email. If you include the -filepassword option, you
must use the file-password parameter to specify the CA.s password.
Example.the CA emails the server certificate as one file The CA sends you a signed certificate file in PEM format. You save this file in the /var/CTXSssl/certs directory on the Secure Gateway server, and call it .file1.pem.. The private key is protected with the password .secret.. To install the server certificate on the Secure Gateway server, using the new password .confidential. and the identifier .my_certificate., type the command: ctxcertmgr -import my_certificate -filename /var/CTXSssl/certs/file1.pem You are prompted for the db-password .confidential. and the file-password .secret.. Example.the CA emails the server certificate as two files The CA sends you the server certificate as two separate files. One file contains plain text information about the certificate, the other contains the private key that the CA protects with the password .secret.. The files are in PEM format. You call the plain text file .file1.pem. and store it in the /var/CTXSssl/certs/ directory. You call the private key file .file2.pem. and save it in a secure directory that only the root user has access to; for example, /home/ctxssl. To install the server certificate on the Secure Gateway server, using the new password .confidential. and the identifier .my_certificate,. type the command: ctxcertmgr -import my_certificate -filename /var/CTXSssl/certs/file1.pem -keyfilename /home/ctxssl/file2.pem -dbpassword confidential -filepassword secret Use -dbpassword and -filepassword only if you are including commands in a shell script.
|
These steps were taken from the Solaris Secure Gateway Guide available on the Citrix site at the following link: http://support.citrix.com/kb/entry.jspa?categoryID=186&entryID=3186
WME('Notes:'); For Citrix Secure Gateway 2.0, please see: http://support.citrix.com/servlet/KbServlet/download/4192-102-10983/Secure_Gateway_Checklist.pdf