Changing the server certificate on Citrix AppController

Not so long ago I set up the new Citrix AppController (part of the new Citrix Cloud Gateway Enterprise) in a test environment to get to know the product a little better. Setting up the server wasn’t too much of an hassle, albeit not much documentation is available. I successfully added some web applications, and SSO worked.

What did annoy me however that I still got the red address bar in my browser, indicating that the website is insecure. By default, the AppController uses a self-signed certificate – which is, ofcourse, untrusted. So there are two ways to solve this; the simplest one is just to trust the self-signed cert by importing it. The other is to create an official certificate to be used. The problem is that the documentation on is flawed, and will not work. So I had to figure it out myself. That’s what this post is about.

I’m not going to elaborate on how certificates work, I assume you have some working knowledge on the matter. To create the certificate we follow three steps:

Create a certificate request for the FQDN you’ll be using for the AppController

  1. Log on to the console of the AppController (eg with Putty)
  2. Remove the current private key
    sudo keytool -delete
    -alias tomcat -storepass changeit -keystore /root/.keystore
  3. Create a new key
    sudo /usr/java/jdk1.6.0_21/bin/keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -storepass changeit -keystore /root/.keystore
    You’ll be asked to fill in the details for the cert request. Important: When asked for “What is your first and last name?” enter the FQDN of the AppController, not your real first and last name!

Request a certificate from your Certificate Authority

  1. Create a certificate request
    sudo /usr/java/jdk1.6.0_21/bin/keytool -certreq -keyalg RSA -alias tomcat -file /home/admin/certreq.csr -storepass changeit -keystore /root/.keystore
  2. Use a SCP client, like WinSCP, to download the certificate request (/home/admin/certreq.csr) from the AppController onto your PC.
  3. Use the certificate request (it’s formatted in Base64 BTW) to request a certificate from your CA (your enterprise CA or a public CA). Download the certificate in PEM/Base64 format.

Installing the certificate

  1. Upload the certificate chain (make sure they’re all in PEM/Base64) to the AppController. Do this again with your SCP client. Upload the certificates to /home/admin/
  2. Import the root and intermediate certificates with
    sudo /usr/java/jdk1.6.0_21/bin/keytool -import -trustcacerts -alias root -file /home/admin/<root certificate> -storepass changeit -keystore /root/.keystore
  3. Finally, import the server certificate:
    sudo /usr/java/jdk1.6.0_21/bin/keytool -import -trustcacerts -alias tomcat -file /home/admin/<certificate> -storepass changeit -keystore /root/.keystore
  4. Reboot

There, now you have that nice white or green address bar 🙂