Background: The scenario is you are changing the URL that clients will use for external access to your Citrix environment. Perhaps the environment has an SSL certificate for 1 website but is changing the name (ie. from storefront.contoso.com to go.contoso.com) or upgrading to a wildcard certificate. In any case, here are the general steps you can follow for this process:

  1. Create a Certificate Signing Request (CSR)
  2. Submit CSR to CA
  3. Download new certificate from CA
  4. Update External Gateway SSL Cert on NetScaler
  5. Update Certificate Links on NetScaler
  6. Update NetScaler Gateway settings on StoreFront
  7. Test

Pre-requisites:

  • Administrative access to NetScaler device that provides external access for your environment (also required if you plan on creating your CSR from the NetScaler)
  • Adminstrative access to StoreFront server
  • Access to an IIS server (I will be performing CSR from here)

Steps:

  1. I will be using IIS Manager on my StoreFront server to create the CSR in this example.
  2. Logon to the server and open IIS Manager (inetmgr.exe).
  3. Navigate to Server Certificates.

  4. On the right, select Create Certificate Request

  5. Fill out the certificate information with your enterprise information (example below).
    • Common Name: This is URL that users will enter to access the external gateway
    • Organization: Your organization name
    • Organizational Unit: Your department
    • City/Locality: Your city
    • State/province: Your state or province
  6. Country/region: Your country/region

  7. Click Next
  8. Choose appropriate Cryptographic Service Provider properties.
    • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit length: 2048

  9. Click Next
  10. Specify a name for the CSR. Something along the lines of gocontosocomREQ.txt 
  11. Specify a location to save the CSR such as c:\temp or something similar.
  12. Submit the CSR to your Certificate Authority (CA). Generally, this involves copying the CSR text into a form provided by the CA. The CA will verify that you own the domain for the external site name you are requesting and than after a waiting period will issue you your certificate. The waiting period varies depending on the CA but can take a few minutes at best and a few days or longer at worst.
  13. Once the CA has approved your CSR, you can download your certificate.
  14. Place certificate in a temporary location, such as the c:\temp folder used in step #11.
  15. Return to IIS Manager on the server that you initiated the CSR from.
  16. From the Server level, navigate back to Server Certificates.
  17. Select Complete Certificate Request

  18. Select your download certificate. Also choose a friendly name.

  19. Click OK
  20. Select Export on the right side.

  21. Specify a file name and export location (such as the c:\temp location used previously). Also specify an export password.
  22. Open a browser and proceed to your NetScaler management gui.

  23. I am using NS11.0 build 66.11 at the moment. For builds 10.5 and later the navigation should be pretty much the same. If you are on an earlier build reference the appropriate support documentation on http://docs.citrix.com/.
  24. Navigate to System>Traffic Management>SSL>Certificates.
  25. Click Install

  26. Enter the appropriate information in the fields to install the certificate.
    • Certificate-Key Pair Name*: Certificate name.
    • Certificate File Name*: Location of certificate.pfx file
    • Key File Name: Location of certificate.pfx file
    • Certificate Format: PEM
    • Password: Password you specified in step #28

  27. Click Install
  28. Your certificate is now installed.
  29. Link your certificate with your CA intermediates by right-clicking on your certificate and selecting Link.

  30. Select the CA intermediate certificate and select OK. Note that I am assuming here that you had an SSL cert installed before and therefore have already installed your CA intermediate. If your hosting provider has not changed than the intermediate cert already installed can be used. Otherwise obtain your CA intermediate cert from your hosting provider and install it before proceeding with the previous step.
  31. Navigate to NetScaler Gateway>Virtual Servers. Select your external access VIP and select Edit

  32. Under Certificateschoose your Server Certificate.

  33. Unbind the old certificate by selecting it and clicking Unbind.

  34. Bind the new certificate by selecting Add Binding
  35. Select your new certificate and click Bind
  36. Return to the main configuration page and save your settings.
  37. Go to your StoreFront server and open the StoreFront console.
  38. Select the appropriate StoreFront Store for your environment

  39. On the right, select Manage NetScaler Gateway
  40. Select your NetScaler Gateway Appliance and select Edit

  41. In the General Settings tab update the Display Name and NetScaler Gateway URL.

  42. Click Apply
  43. Propagate your changes to your other StoreFront servers if applicable.
  44. Test your SSL installation on https://www.digicert.com/help/
  45. Correct any errors if the DigiCert SSL Diagnostics Tool finds any issues
  46. Test

Additional Notes:

  • If the CSR was incorrectly submitted to the CA (for example you accidently put an extra character while copying/pasting), you may get a generic error 1110 when attempting to launch a resource from StoreFront. This is a general communication error that can appear for several different issues but I’m adding an additional possible cause for it here for future reference.

Resources: