 |
|
Managed PKI for SSL Support
|
CSR Generation for Citrix Gateway
To generate a CSR, you need to create a key
pair for your server. These two items comprise a digital certificate
key pair and cannot be separated. If you lose your public/private key
file or your password and generate a new one, your SSL Certificate will
no longer match. You will have to request a new SSL Certificate from
your Managed PKI for SSL Administrator.
VeriSign recommends that you contact the Citrix
Gateway vendor for additional information.
Step 1: Create a Key Pair
When you generate a certificate renewal request,
you can accept the default details for the distinguishing name or override
them. This enables you to generate a number of requests by specifying
a common name for each server without having to re-enter the details.
When you run ctxcertreq, you are prompted for
the following information:
- The distinguishing name of the subject requesting the certificate
(the Secure Gateway server). Be sure to use the exact distinguishing
name. The distinguishing name is not validated by ctxcertreq. If the
information is incorrect, the certificate will not work and you must
request a new certificate at additional cost.
- A database password to be used to encrypt the private key.
- A number of random keystrokes
used to generate the key pair.
Step 2: Generate a Certificate Signing Request
Log on as the root user at the Secure Gateway server.
- At the command
prompt, enter:
ctxcertreq identifier [ -filename filename ] [ -clone clone-identifier
]
- ‘Identifier’ is
a unique label for the certificate request used by the Secure Gateway
certificate tools and is not included in the certificate request file
sent to the CA.
- ‘Filename’ specifies
the name of the certificate request file created. The default filename
is identifier.req in the current directory.
- ‘Clone’ renews a
certificate that is due to expire, where clone-identifier is the identifier
of the existing server certificate. The distinguishing name information
in the existing certificate may be copied to the certificate request
file. This option can be used to request a group of similar certificates,
as well as to renew a certificate.
- At the prompt,
type the distinguishing name parameters. If generating a certificate
renewal request, press Enter to accept the default distinguishing name.
- At the prompt,
type the database password used to encrypt the private key.
- Confirm the
database password.
- At the prompt,
start typing until ctxcertreq tells you to stop. It does not matter
what you type: letters, numbers, symbols, punctuation marks or control
characters.
- Go to your MPKI
for SSL enrolment pages. (Your administrator will provide you with this
URL.)
Terms Defined
Common Name
The Common Name is the Host + Domain Name.
It looks like "www.company.co.uk" or "company.co.uk".
VeriSign certificates can only be used on Web
servers using the Common Name specified during enrolment. For example,
a certificate for the domain "domain.co.uk" will receive a
warning if accessing a site named "www.domain.co.uk" or "secure.domain.co.uk",
because "www.domain.co.uk" and "secure.domain.co.uk"
are different from "domain.co.uk".
Organisation Information
- If your company
or department has an &, @, or any other symbol using the shift key
in its name, you must spell out the symbol or omit it to enrol.
- The “Org Unit” field
is the name of the department or organisation unit making the request.
- The Locality field
is the city or town name, for example: Guildford.
- Do not abbreviate
the county name, for example: Surrey.
- Use the two-letter
code without punctuation for country, for example: GB.
Contact Information
Your Managed PKI for SSL Administrator will
be responsible for issuing the certificate to you after your enrolment
has been completed. Please contact them for assistance.
|
|
|
