Renew Citrix Access Gateway SSL certificate

Ahhh… the time has come to replace those SSL certs on your CAGs.  Well most of the time we forget that the CAGs actually act as your CSG (Old School Citrix Secure Gateway) and your external sites are most liketly set up as “Gateway Direct” and pointing your return traffic to your CAG.  Meaning if your SSL cert expires, you can kiss those XenApp/XenDesktop connections good bye.

Keep one thing in mind… your SSL certs do not need to be on your Web Interface boxes (common misunderstanding that I hear all the time).  If you have NetScalers you can do SSL Offloading, but will not get into that now.

Luckly the process is really simple, if you google this, you may get confused with the OPENSSL conversion process, etc.  Here is what you need to do.

    • Generate the CSR on any IIS server via the IIS Certificate Wizard (not the CAG)
    • Send the CSR to your CA (Thawte, Verisign, GoDaddy, etc),
    • Import the certificate received from your CA via the certificate wizard to the same IIS box you used.
    • Export the certificate (including the private key! ) via the MMC Certificate Snap-in into a .pfx file and password protected if needed.
    • Convert the .pfx file to .pem format using OPENSSL – You can follow these steps (good luck!)
    • Or use a a tool developed by the OpenSSL Project called PFX2PEM which will simply allow you to drop the .pfx file into a .wds script which will convert it to PEM. Follow this link to get the tool and also read a bit on the the process (really simple)
    • Once you extract the file to .pem, import the file onto your CAG.
    • In addition, depending on the CA, you may need to upload their intermediate certificates as well.

The pem and root certs are managed on the Administration tab of your CAG