Citrix Access Gateway
1. Enabling SSL communication security on Citrix Access Gateway
1.1. Generating a Certificate Signing Request (CSR) using Citrix Access Gateway
1.2. Installing your Digi-SSL™ Certificate on Citrix Access Gateway
1.2.1. Installing your Digi-SSL™ Certificate
1.2.2. Installing the CA Certification Path containing the Root & Intermediate CA Certificates
2. Requiring Client Certificates for Authentication
2.1. Defining Client Certificate Criteria
2.2. Using Client Certificates with Access Gateway Advanced Edition
2.3. Selecting an Encryption Type for Client Connections
3. Obtaining a Digi-Access™ Client Certificate from Digi-Sign
3.1. Applying for a Digi-Access™ Certificate
3.2. Activating and Installing a Digi-Access™ Certificate
To enable the SSL facility on Citrix Access Gateway, an SSL (Digi-SSL™) certificate is required.
Digi-SSL™ certificate can be obtained directly from Digi-Sign and requires a CSR (Certificate Signing Request) code.
A CSR is a file/string containing your certificate application information, including your Public Key, Company Name and the Common Name (mostly FQDN - Fully Qualified Domain Name host name).
Generate your CSR and then copy and paste the contents of the CSR file into the Digi-Sign Digi-SSL™ web application form:
or send the CSR via email to your account manager in Digi-Sign.
Overview of the Certificate Signing Request
Before you can upload a certificate to the Access Gateway, you need to generate a Certificate Signing Request (CSR) and private key. The CSR is created using the Certificate Request Generator included in the Administration Tool. The Certificate Request Generator is a wizard that creates a .csr file. When the file is created, it is emailed to the Certificate Authority [2] (Digi-Sign) for signing or you can paste it into online enrolment form. The Certificate Authority (Digi-Sign) signs the certificate and returns it to you at the email address you provided. When it is received, you can install it on the Access Gateway.
To provide secure communications using SSL/TLS, a server certificate is required on the Access Gateway. The steps required to obtain and install a server certificate on the Access Gateway are as follows:
Private keys that are generated with the Certificate Signing Request are stored in an encrypted and password-protected format on the Access Gateway. When creating the Certificate Signing Request, you are asked to provide a password for the private key. The password is used to protect the private key from tampering and it is also required when restoring a saved configuration to the Access Gateway. Passwords are used whether the private key is encrypted or unencrypted. When you upgrade to Version 4.5 and save the configuration file, it cannot be used on earlier versions of the Access Gateway. If you attempt to upload the Version 4.5 configuration file to an earlier version, the Access Gateway becomes inoperable.
You can also import a password-protected certificate and private key pairs in the PKCS#12 format. This allows encrypted and password-protected private keys and certificates created on the Access Gateway to be imported.
Caution If you save the configuration on Version 4.5 of the Access Gateway, do not install it on an earlier version of the appliance. Because the private key is encrypted in Version 4.5, older versions cannot decrypt it and the appliance becomes inoperable.
The CSR is generated using the Certificate Request Generator in the Administration Tool.
2. On the Certificate Signing Request tab, type the required information in the fields and then click Generate Request.
Note In the field Access Gateway FQDN, type the same FQDN that is on the General Networking tab. In Password, type the password for the private key.
3. A .csr file is created. Save the certificate request on the local computer.
4. Email the certificate to to Digi-Sign or paste it into online enrolment form. Digi-Sign returns a signed certificate to you by email. When you receive the signed certificate, install it on the Access Gateway.
Note: When you save the Access Gateway configuration, any certificates that are already installed are included in the backup.
After you create the certificate request and send it to the Certificate Authority (Digi-Sign), refrain from performing the following tasks on the Access Gateway until you receive the signed certificate back and install it on the appliance:
- Uploading a saved configuration file
- Publishing configuration settings from another appliance in the cluster
To install a certificate file using the Administration Tool
You can also upload the certificate using the Administration Portal.
To install a certificate file using the Administration Tool
You will need to install the chain certificates (certification path) in order for browsers to trust your certificate.
As well as your Digi-SSL™ certificate (yourdomainname.cer), two other certificates, named
UTN-USERFirst-Hardware.crt and Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt, might also be attached to the email from Digi-Sign. Install these by following instructions below.
To install a Root CA Certificate on the Access Gateway
Repeat instructions from step 1 to 4 to install the Digi-Sign Root CA Certificate to enable trust for Digi-Access™ Client Certificates.
If you want additional authentication, you can configure the Access Gateway to require client certificates [3] for authentication.
The Access Gateway can authenticate a client certificate that is stored in either of these locations:
- In a smart card or a hardware token. In this case, the certificate is embedded within the smart card and read from a smart card reader attached to the network.
Note: The Access Gateway is configured in the same way regardless of whether the certificates are stored in the Windows operating system or on a smart card. No special configurations are required to support client certificates stored in either of these locations.
If clients are connecting using kiosk mode or from a Linux computer, client side certificates are not supported. If client certificates are enabled in the Access Gateway, Linux Clients and kiosk mode do not work.
If you configure the Access Gateway to require client certificates, every user who logs on through the Access Gateway must present a secure client certificate. The certificate can originate from the certificate store in Windows or a smart card.
To specify criteria that client certificates must meet, use a Boolean expression. To belong to a group, the user must meet the certificate criteria in addition to passing all other authentication rules that are configured for that group. For example, the following criteria requires that the subject field of the client certificate provided by a user has the Organization Unit (OU) set to Accounting and the Common Name (CN) attribute set to a value matching the user's local user name on the Access Gateway.
client_cert_end_user_subject_organizational_unit="Accounting" and
username=client_cert_end_user_subject_common_name.
Valid operators for the client certificate are as follows:
= equality test
Valid constants for the criteria are:
true logical TRUE
Valid variables for the criteria are:
username local user name on the Access Gateway
client_cert_end_user_subject_common_name CN attribute of the Subject of the client certificate
client_cert_end_user_subject_organizational_unit OU attribute of the Subject of the client certificate
client_cert_end_user_subject_organization O attribute of the Subject of the client certificate
Values for the client certificate criteria require quotation marks around them to work. Correct and incorrect examples are:
The Boolean expression
client_cert_end_user_subject_common_name="clients.gateways.citrix.com" is valid and it works.
The Boolean expression
client_cert_end_user_subject_common_name=clients.gateways.citrix.com is not valid and does not work
To specify client certificate configuration:
Note: Client certificate configuration is not available for the default user group
2. On the Client Certificate tab, under Client certificate criteria expression, type the certificate information. Click OK.
The Access Gateway and the servers running Advanced Edition can both be required to use secure client certificates. Use the following guidelines when configuring for client certificate use:
All communications between the Secure Access Client and the Access Gateway are encrypted with SSL. The SSL protocol allows two computers to negotiate encryption ciphers to accomplish the symmetric encryption of data over a secure connection.
You can select the specific cipher that the Access Gateway uses for the symmetric data encryption on an SSL connection. Selecting a strong cipher reduces the possibility of malicious attack. The security policies of your organization may also require you to select a specific symmetric encryption cipher for secure connections.
Note: If you are using the Access Gateway to provide access to Citrix Presentation Server, ICA traffic transmitted to the Access Gateway is also encrypted using these ciphers.
You can select RC4, 3DES, or AES encryption ciphers for SSL connections. The default setting is RC4 128-bit. The MD5 or SHA hash algorithm is negotiated between the client and the server.
The Access Gateway uses RSA for public key encryption in a secure connection. The encryption ciphers and hash algorithms that you can select for symmetric encryption are listed below:
To select an encryption type for client connections:
At this stage a private key and public key pair is generated and the CSR [5] (Certificate Signing Request) being submitted to the Digi-Sign System along with the users application details.
Once the user Digi-Access™ application is approved by Digi-Sign Validations Department, the end user will receive an
e-mail message containing instructions on how to activate and install the Digi-Access™ certificate along with the relevant Digi-Access™ Certificate activation URL.
Once entered the URL, click the Collect your Digi-Access™ Certificate button.
Note: As the private key is stored in the Windows User Account registry container, you (or the end user) need to make sure that you are (or the end user) accessing the Digi-Access™ activation URL using the same PC Computer and Windows User Account, as was originally used to apply for the Digi-Access™ Certificate. It these items do not match, the Digi-Access™ Certificate will not be installed.
The Digi-Access™ Certificate should be now installed on your PC. You may check it by opening Microsoft Internet Explorer browser, entering Tools menu, choosing Internet Options, selecting the Contents tab and clicking the Certificates button. The Digi-Access™ Certificate should be located and shown under the Personal tab.
If you have setup the authentication rules, using the Requiring Client Certificates for Authentication configuration directive in section 2, the Digi-Access™ setup is now completed. The user may now connect to your Digi-Access™ protected web site using your web site URL with the https:// phrase typed before the web site name or using the Citrix Client Application.
Once connected to the Citrix Access Gateway, user will be asked for a Digi-Access™ Client Certificate and if the Digi-Access™ Certificate matching the rules you created is present on the user's machine, access will be granted, otherwise the user will be not allowed to access the particular website or application that is protected with Citrix Access Gateway.
For any technical information which is not included in this document, or for further technical support, contact your appliance vendor or Digi-Sign Support Department by email at support@digi-sign.com [6] or by telephone: +44 (800) 845-6718.
Thank you for your Custom!
Digi-Sign Technical Department
E: support@digi-sign.com [6]
W: http://www.digi-sign.com [7]
Links:
[1] https://www.digi-sign.com/order/digi-ssl/
[2] http://www2.digi-sign.com/certificate+authority
[3] http://www2.digi-sign.com/digital+certificate
[4] mailto:production@digi-sign.com
[5] http://www2.digi-sign.com/support/digi-ssl/generate+csr
[6] mailto:support@digi-sign.com
[7] http://www.digi-sign.com