How do I install an SSL certificate into Citrix Secure Gateway on Windows (via IIS 7)?

Problem

How do I install an SSL certificate into Citrix Secure Gateway on Windows (via IIS 7)?

Resolution


This tutorial will be given in 5 parts.  All parts must be completed, but you may find that either Part II and/or Part III may already be completed depending on your security settings and the version of your Windows Server.  If the certificate installation is a renewal of an already existing QuoVadis certificate, you may not need to do Parts II and III as you should already have installed the certificates previously.  The intermediate files must also be installed to ensure that some browsers do not show a certificate error.

Part I - Obtaining the Necessary Certificates

When you download your certificates from the Trust/Link download page, make sure that you download the Root CA certificate, the Intermediate certificate and your SSL certificate.  You can do this by clicking on the certificate icon (or the download link) next to each certificate section (see https://support.quovadisglobal.com/kb/a469/understanding-the-trust-link-downloads-page.aspx for more details).  This will download a *.crt file for each certificate.
 
You will need to then move these certificate files to the server where they are to be installed.

Part II - Installing the Intermediate (chaining) Certificates

Part II explains how to install the intermediate files that are required.  QuoVadis uses an intermediate certificate that must be installed on the server to prevent errors in certain browsers.  You may want to go through these steps and if the intermediate certificate is not installed, then please obtain it and follow through with the rest of Part II.
  1. First you must open the Certificate Snap-In on the Microsoft Management Console. Follow the below steps in order to do this.
    1. Click on Start and then Run.
    2. In the Run window, type MMC in the Open: field and click on the OK button.
    3. The Console1 window will appear.
    4. Click on File at the top and then select Add/Remove Snap-in...  Alternatively, you can press Ctrl + M.
    5. In the Add/Remove Snap-in window, click on the Add... button at the bottom.  This will open a third window named Add Standalone Snap-in.
    6. Scroll down in the Add Standalone Snap-in window and find the Certificates component.  Once found, highlight it and click on the Add button at the bottom.  Alternatively, you can double-click on Certificates.
    7. In a new window, you will be given 3 options for which account you want the certificates snap-in to manage.
    8. Select the Computer account radio button and click on the Next button.
    9. At the next screen, click on the Finish button.
    10. Back in the Add Standalone Snap-in window, click on the Close button.
    11. Click on the OK button in the Add/Remove Snap-in window.

    12.  
  2. You should be back in the Console1 window.  You will see that the Certificates (Local Computer) has been added on the left hand pane.

  3. Click on the "+" sign next to Certificates (Local Computer) to expand it.

  4. Locate and expand the Intermediate Certification Authorities store and then click on the Certificates folder underneath it.

  5. Right-click on the Certificates folder underneath the Intermediate Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.

  6. The Certificate Import Wizard will appear.  At the welcome screen, click on the Next button.

  7. You must specify the file to import.  Click on the Browse... button and find and select the intermediate certificate file you obtained from the Trust/Link download page.  Once selected, it should appear in the File name: field.  Click on the Next button.

  8. On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Intermediate Certification Authorities.  Click on the Next button.

  9. At the summary screen, click on the Finish button.

  10. You should get a message that reads, "The import was successful."

Part III - Installing the Root Certificates

Generally, your Windows Server should have the QuoVadis Root certificates installed, however there have been cases where they have not been.  When you install the SSL certificate, if the root certificate is not present, the system will prompt you to trust it, which will also install it.  Part III assumes that you currently have the Certificate Snap-In on the Microsoft Management Console open.  If you do not, you can find the instructions in Part II of this guide, steps 1.i - 1.xi.
  1. Click on the "+" sign next to Certificates (Local Computer) to expand it (if it isn't already expanded).

  2. Locate and expand the Trusted Root Certification Authorities store and the click on the Certificates folder underneath it.

  3. Right-click on the Certificates folder underneath the Trusted Root Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.

  4. The Certificate Import Wizard will appear.  At the welcome screen, click on the Next button.

  5. You must specify the file to import.  Click on the Browse... button and find and select the Root CA certificate file you obtained from the Trust/Link download page.  Once selected, it should appear in the File name: field.  Click on the Next button.

  6. On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Trusted Root Certification Authorities.  Click on the Next button.

  7. At the summary screen, click on the Finish button.

  8. You should get a message that reads, "The import was successful."

Part IV - Installing the Certificate onto the server

Part IV explains how to install the SSL certificate onto the server so that it can be assigned to the Citrix Secure Gateway in Part V.
  1. Click on Start.  Go to Administrative Tools and then click on Internet Information Services (IIS) Manager.

  2. Click on the name of the server in the left Connections pane.  This should be the same server that you previously created a CSR for.

  3. In the middle pane, double-click on Server Certificate icon.

  4. In the right Actions pane, click on Complete Certificate Request...

  5. In the Complete Certificate Request window that appears, click on the ellipses (...) button and navigate to the server certificate you received from QuoVadis.

  6. Type in a name for this certificate in the Friendly name: field and then click on the OK button.

  7. Note: The friendly name is a name given to the certificate which is used to help differentiate between certificates.

    You should see your newly installed certificate in a list.

Part V - Assigning the certificate to the Citrix Secure Gateway

Once the certificate has been installed on the server, you must assign it to the Citrix Secure Gateway.  This is done through the Secure Gateway Management Console and not through the bindings in IIS 7.  Assigning the SSL certificate to the bindings in IIS 7 may take your Citrix website offline.  Part V describes the process for assigning your SSL certificate to the Citrix Secure Gateway.

Note: Upon completion of this process, you will need to restart your Citrix Secure Gateway.  This will take you Citrix website offline for a minute or so.
  1. First, you must open the Secure Gateway Management Console.  In most cases, you can do this by following these steps:
    1. Click on Start and then All Programs.
    2. In the All Programs list, click and expand the Citrix folder.
    3. In the Citrix folder, click and expand the Management Consoles.
    4. Click on the Secure Gateway Management Console.

  2. Once the Secure Gateway Management Console is open, click on Secure Gateway Configuration. This will open a wizard.

  3. On the welcome screen, click on the OK button.

  4. At the next screen, select the Standard radio button and then click on the Next button.

  5. On the next screen, select the certificate you installed from the list.  Once selected, click on the Next button.

  6. Note: If you are unsure which certificate to assign or you have more than one, you can highlight a certificate and click on the View button.  This will open a window that contains all of the certificate details for you to compare.

  7. At the next screen, the TCP port by default should be 443.  Click on the Next button.

  8. At the next screen, the No outbound traffic radio button is selected by default.  Unless you have a specific configuration, you should leave it as default and click on the Next button.

  9. On the Servers running the STA screen, make any changes is necessary and then click on the Next button.

  10. On the next screen, the Indirect radio button is selected and the TCP port is set to 80 by default.  Click on the Next button.

  11. At the Logging Parameters screen, select a logging option from the list and then click on the Next button.

  12. On the Secure Gateway configuration complete screen, make sure that the Restart Secure Gateway check box is selected and then click on the Finish button.
This will restart your Citrix Secure Gateway.  The wizard will close once the Secure Gateway is back online.

Add Feedback