Installing a Server Certificate

You can install a server certificate on the Secure Gateway server using the

ctxcertmgr command. You install a certificate from the response file that you

receive from the CA. Server certificates are installed in the /var/CTXSssl/certs

directory.

How you install a certificate depends upon whether you used ctxcertreq to

generate the certificate request or not.

If the Certificate Request Is Generated Using ctxcertreq

If you use ctxcertreq to generate a certificate request, ctxcertreq generates a private

key and prompts you for a password to protect the file. When you receive the

signed certificate from the CA, you need to install the certificate on the Secure

Gateway server and match it to the private key and password.

To do this, you use ctxcertmgr to install the certificate and include the -response

option. The -response option indicates that the certificate is a response to a

certificate request generated using ctxcertreq. A new certificate is created and

stored on the Secure Gateway server.

To install a server certificate requested using ctxcertreq

1. Log on as the root user at the Secure Gateway server.

2. At the command prompt, type:

ctxcertmgr -response filename [ -dbpassword db-password ]

where filename specifies the certificate file supplied by the CA.

The following table describes the options:

Example.Installing the certificate

Using ctxcertreq , a new certificate request file is generated with the identifier.

citrix.. A private key is also generated and the password .secret. specified to

protect the file. The new certificate is received from the CA.this file is called

.cert.pem. and it is saved in the /tmp/certs directory on the Secure Gateway server.

To add the certificate to the Secure Gateway server and match it to the private key

and password, type:

ctxcertmgr -response /tmp/certs/cert.pem

You are prompted to enter the db-password .secret..

If the password entered is valid, the newly signed server certificate is imported into

the Secure Gateway certificate store as /var/CTXSssl/certs/citrix.pem.

Option Usage

-response Specifies the certificate is a response to a certificate request generated using

ctxcertreq.

-dbpassword Specifies the password used to protect the certificate on the Secure Gateway

server. This is the database password you supplied when you ran ctxcertreq. If

you include the -dbpassword option, you must use the db-password

parameter to specify the new password, which should be a maximum of 255

characters in length.

Note that this option is used only if you are including commands in a shel script;

otherwise you are prompted for the password. Using -dbpassword displays the

password on the terminal and enters it into the user.s command line history.

If the Certificate Request Is not Generated Using ctxcertreq

If you generated the certificate request using a tool other than ctxcertreq , use

ctxcertmgr with the -import option to install the certificate.

" To install a server certificate not requested using ctxcertreq

1. Log on as the root user at the Secure Gateway server.

2. At the command prompt, type:

ctxcertmgr -import identifier -filename filename [-format format ]

[ -keyfilename key-filename ] [ -dbpassword db-password ]

[ -filepassword [ file-password ]

The following table describes the options:

Option Usage

-import Adds a certificate to the Secure Gateway server. Use the identifier parameter to

give your certificate a unique label. This label is used to easily identify the

certificate in future.

-filename Specifies the certificate file supplied by the CA, where filename is the location of

the file. If the CA supplies the certificate as two separate files (one file containing

the private key, the other containing plain text information about the certificate)

use the -filename option to specify the location of the file containing plain text

information

-format Specifies the format of the certificate file supplied by the CA. You can import

PEM, NET, DER, PKCS12, and MKS file formats. If you do not specify a format,

the system attempts to auto-detect the format.if it cannot detect the format, an

error message appears.

-keyfilename Specifies the location of the file containing the private key. If the CA supplies the

certificate as two separate files (one file containing the private key, the other

containing plain text information about the certificate), use the keyfilename

parameter to specify the location of the file containing the private key. Note that,

in this case, you use the -filename option to specify the location of the file

containing plain text information.

-dbpassword Specifies a new password to protect the certificate on the Secure Gateway

server. If you include the -dbpassword option, you must use the db-

password parameter to specify the new password. This can be no larger than

255 characters.

-filepassword Specifies the password that the CA uses to protect the certificate file. When a CA

sends you a certificate, the certificate is protected using a password. You need

this password to extract the certificate from the file. The CA may supply this

password in a separate email. If you include the -filepassword option, you

must use the file-password parameter to specify the CA.s password.

Example.the CA emails the server certificate as one file The CA sends you a signed certificate file in PEM format. You save this file in the /var/CTXSssl/certs directory on the Secure Gateway server, and call it .file1.pem.. The private key is protected with the password .secret.. To install the server certificate on the Secure Gateway server, using the new password .confidential. and the identifier .my_certificate., type the command: ctxcertmgr -import my_certificate -filename /var/CTXSssl/certs/file1.pem You are prompted for the db-password .confidential. and the file-password .secret.. Example.the CA emails the server certificate as two files The CA sends you the server certificate as two separate files. One file contains plain text information about the certificate, the other contains the private key that the CA protects with the password .secret.. The files are in PEM format. You call the plain text file .file1.pem. and store it in the /var/CTXSssl/certs/ directory. You call the private key file .file2.pem. and save it in a secure directory that only the root user has access to; for example, /home/ctxssl. To install the server certificate on the Secure Gateway server, using the new password .confidential. and the identifier .my_certificate,. type the command: ctxcertmgr -import my_certificate -filename /var/CTXSssl/certs/file1.pem -keyfilename /home/ctxssl/file2.pem -dbpassword confidential -filepassword secret Use -dbpassword and -filepassword only if you are including commands in a shell script.

Notes:

These steps were taken from the Solaris Secure Gateway Guide available on the Citrix site at the following link: http://support.citrix.com/kb/entry.jspa?categoryID=186&entryID=3186
WME('Notes:'); For Citrix Secure Gateway 2.0, please see: http://support.citrix.com/servlet/KbServlet/download/4192-102-10983/Secure_Gateway_Checklist.pdf