Renew Citrix Access Gateway SSL certificate

Ahhh… the time has come to replace those SSL certs on your CAGs.  Well most of the time we forget that the CAGs actually act as your CSG (Old School Citrix Secure Gateway) and your external sites are most liketly set up as “Gateway Direct” and pointing your return traffic to your CAG.  Meaning if your SSL cert expires, you can kiss those XenApp/XenDesktop connections good bye.

Keep one thing in mind… your SSL certs do not need to be on your Web Interface boxes (common misunderstanding that I hear all the time).  If you have NetScalers you can do SSL Offloading, but will not get into that now.

Luckly the process is really simple, if you google this, you may get confused with the OPENSSL conversion process, etc.  Here is what you need to do.

    • Generate the CSR on any IIS server via the IIS Certificate Wizard (not the CAG)
    • Send the CSR to your CA (Thawte, Verisign, GoDaddy, etc),
    • Import the certificate received from your CA via the certificate wizard to the same IIS box you used.
    • Export the certificate (including the private key! ) via the MMC Certificate Snap-in into a .pfx file and password protected if needed.
    • Convert the .pfx file to .pem format using OPENSSL – You can follow these steps (good luck!)
    • Or use a a tool developed by the OpenSSL Project called PFX2PEM which will simply allow you to drop the .pfx file into a .wds script which will convert it to PEM. Follow this link to get the tool and also read a bit on the the process (really simple)
    • Once you extract the file to .pem, import the file onto your CAG.
    • In addition, depending on the CA, you may need to upload their intermediate certificates as well.

The pem and root certs are managed on the Administration tab of your CAG


About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

5 Responses to Renew Citrix Access Gateway SSL certificate

  1. Juanito..!! says:

    This solution actually WORKS !!! Thanks a lot.

  2. chrzanowski says:

    Hi I use active directory certificate services
    1 on the cag I click on new then copy the begin with end with
    2 connect to iis and creeh create a cer and download the ca cer
    3 but i cannot install it on the cag. ehat must I do pem?

    • CyberRuiz says:

      Since you are using IIS, export the certificate as a .PFX file, then use the PFX to PEM utility I mention on this post to covert it from PFX to PEM.

      Then install the PEM certificate


  3. Sunil says:

    I have the same thing to do, but while exporting the certificate on IIS , the option to export into pfx is grayed out, also export private key option is grayed out. any idea?

    • CyberRuiz says:

      Sorry for the delay getting back to you. It seems the pfx is grayed out since it was created and not marked to be exportable.
      I suggest you get the original cert and import it to the IIS box however make it exportable so you don’t have issues doing this.

      Hope that helps

Leave a Reply to Juanito..!! Cancel reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: