Installing or Renewing a 2048 bit SSL Certificate on Citrix Access Essentials/Xenapp Fundamentals

I had to renew a 2048 bit Godaddy SSL certificate on a Citrix Access Essentials server today. This article on the Citrix knowledgebase explains how to install the certificate in Quick Start, but is a bit light on detail for the IIS part so I thought I would document it here.

Firstly you need to generate a certificate request or renewal request on the Citrix Access Essentials or Xenapp Fundamentals external website in IIS manager. Right click the website and choose ‘properties’, then click on the  ‘Directory Security’ tab. In the ‘Secure Communications’ section click on the ‘Server Certificate’ button, and the server certificate wizard will start. Click Next, and the following screen will appear:

Creating the renewal or certificate request

In this case I was renewing the existing 2048 bit certificate, so selected ‘renew the current certificate’ and clicked next. On the next screen choose ‘prepare the request now but send it later:

Preparing the request

Finish the wizard, and save the request for processing with your SSL provider. In this case the provider is Godaddy, but the process will be similar for other providers. Log into Godaddy, select the certificate you want to renew (assuming you have already purchased the renewal credit), and choose ‘Request Certificate’ .

Requesting a new certificate using Godaddy


On the next screen select ‘Third Party or Dedicated Server, and then paste the contents of the certificate request that you generated in IIS into the CSR field as shown:

Processing the CSR with Godaddy

Submit the request and then wait for Godaddy to process it, completing any necessary domain control, or other validation processes that may be required. Once the certificate processing is complete, download your new certificate from Godaddy. If this is the first time you have installed a Godaddy certificate on the server you will also need to install intermediate certificates that come in the zip file on your server. Further documentation on this can be found on the Godaddy website here.

Next install the new certificate using IIS manager. Again, right click the Citrix external website and choose ‘Properties’, then click on the ‘Directory Security’ tab. In the ‘Secure Communications’ section click on the ‘Server Certificate’.  In the wizard choose ‘process the pending request and install the certificate’.

Processing the pending certificate request in IIS

Browse to the new certificate .crt file you downloaded from Godaddy and click next. You may need to select ‘All files’ to view this file.  

Now the next screen can cause a bit of a gotcha. By default the wizard wants to choose standard SSL port 443 to install this certificate on. If you select this port it will conflict with Citrix and cause an error message when accessing the website after installing the certificate. Make sure you select a different port in the wizard, such as 444 to prevent a conflict with Citrix Access Essenstials, then click ‘Next’.

Select an SSL port other than 443, such as 444 in the wizard to prevent a conflict with Citrix

Failure to change the port will result in the error ‘Bad Gateway! The proxy server received an invalid response from the upstream server. Error 502’, which can be seen below:

Error message when installing new SSL certificate on Citrix Access Essentials/Xenapp Fundamentals Bad Gateway error 502

Review the final screen, and complete the wizard. Finally, run up the Citrix quick start tool and choose ‘Manage External Access’, under the ‘External Access’ section. From here you can choose the new certificate to use with Citrix Access Essentials. These steps are documented in the Citrix document. After that you’re done!

Renewing an SSL certificate on Exchange 2007

The other day i noticed event 64 with a source of CertificateServicesClient-Autoenrollment, in the event log on one of our Exchange 2007 Client Access servers. I was aware that the SSL certificate on this server was due for renewal in the near future, but this was a timely reminder:

Event ID 64 Source CertificateServicesClient-AutoEnrollment

In order to double check which certificate was expiring on this CAS server, I ran the following command in the Exchange Management Shell:

Get-ExchangeCertificate | FL

This lists all the certificates that Exchange is using along with all the details of each certificate, including the thumbprint. You can compare the thumbprint on the event log message, to those in the list from the above command, to see which certificate the message is referring to.

Next you should create a new certificate signing request (CSR) by issuing the following command in the Exchange Management Shell:

New-ExchangeCertificate -GenerateRequest -Path c:\CERT_REQUEST.CSR -KeySize 2048 -SubjectName “c=GB, s=YOUR_COUNTY_OR_STATE, l=YOUR_CITY, o=YOUR_ORGANISATION_NAME, ou=YOUR_DEPARTMENT, cn=YOUR_SERVER_FQDN” -DomainName autodiscover.YOUR_DOMAIN_NAME, YOUR_SERVER_LOCAL_DOMAIN_NAME, YOUR_SERVER_NETBIOS_NAME -PrivateKeyExportable $True

In the example above the capitalised parameters can be described as follows:

CERT_REQUEST.CSR – The name of the file that the certificate request will be exported to, in this case to the root of the c:\ drive

YOUR_COUNTY_OR_STATE – The name of the county or state for the certificate

YOUR_CITY – The name city for the certificate

YOUR_ORGANISATION_NAME – The name of your Company

YOUR_DEPARTMENT – The name of your department

YOUR_SERVER_FQDN – The fully qualified domain name (i.e. the public name of your server, that is registered with your external DNS provider)

autodiscover.YOUR_DOMAIN_NAME – The subject alternative name for autodiscover where the YOUR_DOMAIN_NAME part is your external domain name

YOUR_SERVER_LOCAL_DOMAIN_NAME – The internal fully qualified domain name of your server, if it is different to the external fully qualified domain name

YOUR_SERVER_NETBIOS_NAME – The NETBIOS name of your server

For example:

New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.csr -KeySize 2048 -SubjectName “c=GB, s=Hampshire, l=Southampton, o=Oasysadmin Ltd, ou=IT Support,” -DomainName, mail.oasysadminltd.local, mail -PrivateKeyExportable $True

Another easy way to generate the New-ExchangeCertificate command for the certificate request is to use a free tool such as Digicert’s Exchange 2007 CSR Tool. Just fill in the fields and click generate, and then copy and paste the generated command into the Exchange Management Shell, and press enter to generate the CSR.

Once you have created your certificate signing request, you will need to open it in Notepad, and copy and paste the contents into the certificate renewal web page of your 3rd party SSL provider (e.g. Thawte, Verisign, Godaddy, Digicert to name just a few). This process cannot really be covered here, as it is different for all SSL certificate providers. When the certificate request has been processed and validated by your 3rd party SSL provider, they should provide you with a .cer or .crt certificate file which can be imported and enabled on your Exchange server.

Copy the .cer or .crt file issued by our SSL provider to a location on the Exchange server. In this example we have copied the the .cer file to the root of the C:\ drive on the Exchange server, where NEW_CERT is the name of the file.

Import-ExchangeCertificate -Path c:\NEW_CERT.cer

Once the new certificate is imported, it needs to be enabled for specific Exchange services such as IIS, POP, IMAP and SMTP. To do this you will need the thumbprint of the new certificate, which you can get by issuing the following command again:

Get-ExchangeCertificate | FL

Once you have the thumbprint you can type in the following command to enable the certificate, where YOUR_THUMBPRINT is the thumbprint of your new certificate:

Enable-ExchangeCertificate -thumbprint YOUR_THUMBPRINT -services IIS,SMTP,POP,IMAP

Note that the above command enables this certificate for IIS, SMTP, POP and IMAP. You can enable the certificate for specific services only e.g. just IIS if you want.

You can verifiy that the new certificate is installed OK by connecting to the FQDN of your Exchange server in your preferred browser, and viewing the properties of the installed certificate.

For completeness once you have verified that the new certificate is functioning properly you can remove the old certificate by typing the following command in the Exchange Management Shell, where OLD_THUMBPRINT is the thumbprint of the old obsolete SSL certificate which you have now replaced:

Remove-ExchangeCertificate -thumbprint OLD_THUMBPRINT