Mark III Systems Blog

Microsoft ADCS Secure Access Gateway with Citrix ADC

There are many components involved in running a certificate-based network. Trusted Corporate Devices need to establish trusted servers and certificate authorities (CA) to ensure proper certificates enrollment, users’ authentication, certificate life cycle and management to name a few.

Organizations running on Microsoft environments can use Microsoft CA to leverage Active Directory and Microsoft Certificate Services to distribute certificates to all domain-connected devices via group policies.  Active Directory Certificate Services (AD CS) is a Windows Server designed to issue and manage digital certificates proven to be more secure and easier to use than passwords.

Organization implementing a Secure Access Gateway commonly used a third-party Authority Service Provider Certificate from a public authority like DigiCert, Comodo, GoDaddy etc. resulting in additional operational costs; especially when implementing Secure Access Gateway Protocol as a Proof of Concept.

Utilize Microsoft Active Directly Certificate Services (ADCS), commonly deployed in most Small and Medium Businesses (SMB) is best for this scenario.

The configuration steps per demonstrated assume ADCS already deployed with Citrix StoreFront Servers and Citrix ADC (NetScaler) VPX, MDX, SDX etc. in the environment.

For ease of  implementation, the steps per illustrated divided into several sections as follow:

  1. Server Certificate Request
  2. Server Certificate Exports
  3. Root Certificate Export
  4. Internal Root CA Export & Download
  5. Root CA Certificate Installation - StoreFront Servers
  6. Server Wildcard Certificates Installation - StoreFront Servers
  7. Internal Server Certificate Installation - StoreFront Servers
  8. Load Balancer (Citrix ADC) Server Certificate Upload & Install
  9. Load Balancer (Citrix ADC) MSCA CA Root Certificate Installation
  10. Load Balancer (Citrix ADC) Server Certificate Link

 

Section 1: Steps to create Certificate Request from StoreFront (Web) Server

 

Open Internet Information Services (IIS) Manager from the StoreFront Server.

Select the Server name from the left pane under “Connections” section. In my case, it is “CTX715STF-01”.  From the right pane, under “IIS” section, select “Server Certificates” to start the Certificate creation process.Connections

 

 

 

 

 

From the right pane, select “Create Domain Certificate” to continue.

Create Domain Certificates

 

 

 

 

 

The “Distinguished Name Properties” screen displayed, enter appliable information per required. In the “Common Name:” field, enter a FQDN name with “*.” to be used as a wildcard; for example, in my case it is “*.lab.loc”.  Select the “Next” button to continue.

Distinguished Name

 

 

 

 

 

 

The “Online Certificate Authority” screen displayed with option to select Online Certificate Authority the Internal Microsoft Certificate Authority Sever (ADCS). Click on the “Select…” button to continue.

 

 

 

Select Certification AuthorityThe “Select Certification Authority” screen displayed. Pick the appropriate Microsoft CA for the environment and select the “OK” button to continue.

 

 

Once again, the “Online Certificate Authority” screen displayed, be sure to enter the “Friendly Name” for example in my case it is “mycitrix715lab”.

Friendly Name

 

 

 

 

 

The newly created server certificate should be created and displayed in the “Server Certificates” window.

Server Certificates

 

 

 

Section 2: Steps to Export Certificate from the StoreFront Server

To configures SSL protocol for other StoreFront Servers and ADC in the environment, the newly created Server Certificate from previous steps need to be exported.

  1. Launch MMC
    2. Select “File – Add/Remove Snap-in
    3. Double-click “Certificates
    4. Select “Computer Account
    5. Select the “Finish” button to complete the “Add/Remove” dialogs
    6. Navigate to Personal –> Certificates. The newly created wildcard certificate should be visible. Right click and select “All Task” -> “Export” option.

Personal Certificates

 

 

The “Welcome to the Certificate Export Wizard” screen displayed. Select the “Next” button to continue.

Certificate Export Wizard

 

 

 

The “Export Private Key” screen displayed, select the “No, do not export the private key” option. Select the “Next” button to continue.

Export Private Key

 

 

 

 

 

 

The “Export Private Key” screen displayed, select the “No, do not export the private key” option. Select the “Next” button to continue.Based-64

Provide the certificate with an applicable file name. For example, “Lab-Wildcard-Cert_3-4-21.cer” and select the “Save” button to continue.

Lab Wildcard

 

 

 

 

 

Section 3: Steps to Export the certificate with associated Private Key

 

From the MMC console, navigate to “Personal -> Certificates”, select the previously created Server Certificate for example, “*.lab.loc”. Right Click -> “All Task and “Export”.

The “Welcome to the Certificate Export Wizard” screen displayed. Select the “Next” button to continue.

Export Wizard

 

 

 

 

 

 

 

The “Export Private Key” screen displayed. Select the “Yes, export the private key” option.  Select the “Next” button to continue.

Export Private Key

 

 

 

 

 

 

 

The “Export File Format” screen displayed. Select the following options:

Personal Information Exchange PKCS #12 (.PFX)
Include all certificates in the certification path if possible
Export all extended properties

Based-64Select the “Next” button to continue.

 

The “Security” screen displayed. Add a password to the key file and select the “Next” button to continue.

Security

 

 

 

 

 

 

Provide the certificate with a file name. For example, “Lab-Wildcard-Cert-Key_3-4-21.cer” and select the “Save” button to continue.

 

 

Section 4: Steps to Export Internal Microsoft Root CA Certificate to allow corporate devices with trust relationship with the certificates from the Private CA previously exported.

 

Open a browser as an Administrator and navigate to http://10.1.X.X/certsrv. (This is the IP Address of the Domain Controller running Certification Authority Services or a standalone MSCA Server).

 Select “Download a CA Certificate, certificate chain, or CRL”

Download CA Certificate

The “Download a CA Certificate, Certificate Chain, or CRL” screen displayed. Select the appropriate CA Server for the environment.  Under the “Encoding Method” option, select “Base 64”.

Certificate Chain

 

 

 

 

 

 

 

Select the “Download CA Certificate” Once the download completed, rename the Certificate to reflect the environment, in my case, it is “Lab-RootCA-Certificate_3-4-21” for ease of identification.

 

 

Section 5: Steps to Install Root CA Certificates on the remaining Storefront Server

On the Storefront server, double click on the “Lab-RootCA-Certificate_3-4-21.cer” previously exported to start the installation process.

The “Certificate Information” screen displayed, select the “Install Certificate”

 

 

 

 

 

 

Select “Local Machine”

Select “Place all certificates in the following store” and select “Trusted Root Certification Authorities”

The Root CA is now installed on the host.

Section 6: Steps to Install Servers Wildcard Certificates on the remaining Storefront Server

 

On the Storefront server, double-click on the “Lab-Wildcard-Cert_3-4-21.pfx” certificate file to start to process.

The “Certificate Information” screen displayed, select the “Install Certificate”

 

 

 

 

 

Select “Local Machine”. Select the “Next” button to continue.

 

 

 

 

 

 

 

Enter the certificate’s password previously created.

In the “Certificate Store” options, select “Personal” or “Web Hosting” to install the Certificate.

 

 

 

 

 

 

 

 

Section 7: Steps to Install the key Certificate on Citrix ADC (NetScaler)

 

Access Citrix ADC (NetScaler) login page using the IP Address or DNS name record where applicable. In my case, it is http://10.1.x.x.

Navigate to Traffic Management -> SSL

Select “Import PKCS#12”

Output File Name: “Lab-Wildcard-Cert-key”
b. Choose File: “Lab-Wildcard-Cert-Key_3-4-21.pfx”.  This is the local certificate previously exported with the private key.
c. Input Password: Enter the secure password previously exported.
d. Encoding Format: “3DES”
f. PEM Passphrase: Enter a secure password where applicable.

 

 

 

 

 

 

Select the “OK” button to complete import process.

Sample View from Citrix ADC after successfully Imported the PKC12 Certificate:

 

 

 

Section 8: Step to upload applicable certificates to Citrix ADC

In the “Traffic Management” -> “SSL” section, select “Manage Certificates / Keys / CSRs

 

 

 

 

 

 

Select “Upload”
Select “Lab-Wildcard-Cert.cer”
Select “Upload” again to load the Root CA
Select “Lab-RootCA-Cert_3-4-21.cer”
Optionally, select “Lab-Wildcard-Cert-Key_3-4-21.pfx” and “Delete”.

Steps to install Server Certificates

 

Navigate to “Traffic Management” –> “SSL” –> “Certificates” –> “Server Certificates” and select the “Install” button to continue.

 

 

 

 

 

Select applicable Certificates for the environment.
Certificate-Key Pair Name: Lab-Wildcard-Cert-Key
Certificate File Name: Lab-Wildcard-Cert_3-4-21.cer
Select the Key File Name Previously Created: Lab-Wildcard-Cert-Key.Key
Password: Enter the PEM passphrase. Note: Use any passphrase key where applicable to the environment. In my case, I used the same password when exported the Certificates from previous steps.

 

 

 

 

 

 

Section 9: Steps to install MSCA Root Certificate

 

Navigate to “Traffic Management” –> “SSL” –> “Certificates” –> “CA Certificates” and select the “Install” button to continue.

 

Select applicable Certificates for the environment.
Certificate-Key Pair Name: “LabRootCA

Certificate File Name: “Lab-RootCA-Certificate_3-4-21.cer” and select the “Install” button to complete the process.

 

 

 

 

 

Section 10: Steps to link the “Server Certificate” to the “RootCA”

Navigate to “Traffic Management” –> “SSL” –> “Server Certificates” and select appliable Server Certificate for the environment. In my case, it is “Lab-Wildcard-Cert-Key”. Under the “Action” drop down list, select “Link” to continue.

The “Link Server Certificate(s)” window displayed, under the “CA Certificate Name” option, select applicable Root CA certificate for the environment.

 

 

 

 

 

MSCA Server/Root Certificates needed for Storefront Servers and Citrix ADC Secure Access Gateway protocol configurations completed.