• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3972
  • Last Modified:

Citrix Secure Gateway - SSL certificate renewal GoDaddy - Windows 2003 IIS

We are running Secure Gateway 3.1 with SSL cert running fine with no issue.

Our SSL certificate authority is GoDaddy. It is now time to renew the SSL certificate so I have purchased renewal for another 2 years from GoDaddy.

GoDaddy asked me to generate CSR from my server and then paste the key into their website and then they will then send me the new/renewal certificate.

I have generated CSR from IIS 6.x and when i paste it on their website i get this error "The CSR key length must be 2048 or 4096"

I am now confused here when i go to the generate CSR "Server Certificate wizard" into my IIS it does not give me any option to select bit length beacuse i am not generating a new certificate on this server so it does not give me option for "request new certificate" because there is the existing certificate install so either it gives me option to "Renew the current certificate" or "Remove the current certificate" so for me it make sense to select "Renew the currently certificate" and then it create a text file called "certreq.txt" which i then option and copy and paste into Godaddy website but i get above error. What should i do here? any help will be appriciated.

I donot want to remove the current certificate as this is the live server and users are connected to this server. Can this renewal be seemless? Thanks
SSL-certificate-CSR-request.GIF
0
tech2010
Asked:
tech2010
  • 13
  • 10
  • 3
  • +1
1 Solution
 
Brad HoweDevOps ManagerCommented:
Hi Tech2010,

There is no way to do this with the current site. You will need to either remove it and create new request or create a dummy temp site to create the request and then assign it to your current website.

1. Create new website in IIS.
2. Open IIS Certificate Wizard under the new site.
3. Follow the steps and set the bit length to the proper length and all the details for the ssl cert.
4. Send it to GoDaddy for processing.
5. When you receive the certificate add it to your certificate store by double clicking on it and installing
    it.
6. Open IIS and remove the certificate from your current site and ASSIGN the new certificate to your    
    Website.

If you need more details steps, please let me know.

Cheers,
Hades666


0
 
Brad HoweDevOps ManagerCommented:
Hi,

This will get you updated with a 2048 bit ssl. The above URL is missing steps and for IIS7. Cheers.

Create temp website for request processing
1. Create new temp website in IIS.
2. Open IIS Certificate Wizard under the new site.
3. Follow the steps and set the bit length to the proper length and all the details for the ssl cert.
4. Send it to GoDaddy for processing.

Import received .cer from Godaddy.
1. Click START, RUN, MMC
2. Click File | Add/Remove Snap-in
3. Click ADD
4. Chose Certificates, Click ADD
5. Chose Computer Account.
6. Click Next, Finish, Close, OK.
7. On the left Browse to, Certificates (Local Computer)\Personal\Certificates
8. Right Click on Certificates Folder and click IMPORT.
9. Click Next, Browse to your certificate.cer.
10. Place it in "Personal".
11. Click Next, Finish and Close.

Assign it to the current proper website.
12. Open IIS Management.
13. Right Click on your website.
14. Go to Directory Security. Click on Server Certificate.
15. Click Replace current certificate.
16. select the new one you just imported from above. It should be listed in the certificate list.

If it is not, then you might have imported the certificate to the wrong store. It needs to be in "Certificates (Local Computer)\Personal\Certificates"

Delete temp website.
17. Delete temp website from IIS.

Let me know how it goes.

Cheers,
Hades666
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
tech2010Author Commented:
Hades666, thanks for your steps. I will give it a try and will let you know soon.

Just a quick question, By generating CSR from the temp site and applying cert on currently live cert, will it work for my current site? I was just thinking because it generated on the basis on temp site?
0
 
tech2010Author Commented:
Hades666, I just noticed that "Replace the current certificate" option is greyed out.

I have not started your process yet but i just checked to see if i can see replace the current certificate option but it is greyed out. any thoughts on this?
0
 
Brad HoweDevOps ManagerCommented:
Hi,

Not a problem.

it is fine as long as you use the same friendly names and details etc.. The SSL is not tied to the Website. It is tied to the friendly name.

cheers,
Hades666
0
 
Brad HoweDevOps ManagerCommented:
That is because you only have 1 certificate currently in your store. Once you get the 2nd one, you will be able to replace it.

:)
Hades666
0
 
tech2010Author Commented:
ah. ic. thats good.

Is it safe that i create temp site on different machine to gernerate CSR, is it also not tied to the machine?
0
 
Brad HoweDevOps ManagerCommented:
Never tried that. I would think it should on the same machine to ensure the encryption is correct.

Just a though,
Hades666
0
 
tech2010Author Commented:
yes i think that make sense it must be tied to machine when generating key, will let you know. thanks again.
0
 
BLipmanCommented:
You should probably export the private key into a file with the cert before taking down the temp site and then you have everything you could need.  Otherwise I think the above instructions will do exactly what you need.  Remember to run the Secure Gateway Config tool once you have imported the new cert into IIS so you can choose the updated one; this is a two step process!
0
 
tech2010Author Commented:
BLipman, I could not understand what you meant by exporting private key into a file before taking down the temp site. I will not be importing anything into temp site so what should i export? please explain.

Thanks for reminding me to run Secure Gateway config tool after importing new cert into IIS. I thnk i was going to miss this step. thanks again.
0
 
tech2010Author Commented:
Hades666,

Just a quick question, I have completed 1 to 4 steps from your process. I have received .zip cert bundle from Godaddy. It has two files included in the zip, one is .crt and second is .p7b

What is .p7b, do i need to use this somewhere as well or as you just mentioned that import .cert file into localmachine/personal/certificates?

Also once i have imported the certificate and configured IIS and Secure Gateway. Do i need to select "Disable all purposes..." on previous certificate under localmachine/personal/certificates?

thanks
0
 
Brad HoweDevOps ManagerCommented:
Hi,

The .P7B file only contains certificates and chain certificates, not the private key. ThePKCS #7 is a container which may contain plain data, signed data, encrypted data, or combination of these. It may also contain set of certificates needed to validate the certification chain.

CRT, typically it is a binary X.509 certificate, encapsulated in text (base-64) encoding. This is what IIS needs :)

Import the .P7B to the default container and the the CRT to " localmachine/personal/certificates" or else you will not see it listed to replace.

Lastly, to be secure after removing the old cert from IIS,I would suggest diabling it. There is no real harm if you don't because IIS will no be serving or responding to it.

Let me know how it goes.

Cheers,
Hades666
0
 
Brad HoweDevOps ManagerCommented:
Straight from Godaddy Support.

Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):
1.Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2.In the Management Console, select File; then "Add/Remove Snap In."
3.In the Add/Remove Snap-In dialog, select Add.
4.In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5.Choose Computer Account; then click Next and Finish.
6.Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file (gd_iis_intermediates.p7b).
11.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
12.Click Finish.

Hades666
0
 
tech2010Author Commented:
Hadee66, you confused me here, so which one i should follow i mean what file i should then import .crt or .p7b?
0
 
Brad HoweDevOps ManagerCommented:

Sorry about that :( .  I tend it provide alot of information at times.

the .p7b is the Godaddy certificate Chain. you should follow the instructions provided by them - they are same ones i copied from a request i did through them a couple months ago.

The .crt needs to be imported into the localmachine/personal/certificates. In this folder, you should see your existing certificate.

The reason what hte .crt is import this way is because you are not renewing it through IIS Management, you will be simply replacing it.

Does this help,
Hades666
0
 
BLipmanCommented:
In general, when you move a cert, you don't want to lose the private key.  When you go into MMC->certificates, find the cert, export, check the box to export the private key.  
0
 
tech2010Author Commented:
so in other word i need to import both files?
0
 
Brad HoweDevOps ManagerCommented:
Yes, both files are required.
Hades666
0
 
tech2010Author Commented:
ok so i guess then when i am in mmc i need to import .p7b under "Intermediate Certification Authorities" not in "Personal/Certificate" and once i have imported .p7b then i can go in IIS and where i will select replace the certificate (hopeflully if not greyed out) and will select .crt this time and this should do the job. is it ok?
0
 
Brad HoweDevOps ManagerCommented:
Hi,

.p7b - Follow this
Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):
1.Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2.In the Management Console, select File; then "Add/Remove Snap In."
3.In the Add/Remove Snap-In dialog, select Add.
4.In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5.Choose Computer Account; then click Next and Finish.
6.Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file (gd_iis_intermediates.p7b).
11.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
12.Click Finish.


CRT - Follow this
Import received .cer from Godaddy.
1. Click START, RUN, MMC
2. Click File | Add/Remove Snap-in
3. Click ADD
4. Chose Certificates, Click ADD
5. Chose Computer Account.
6. Click Next, Finish, Close, OK.
7. On the left Browse to, Certificates (Local Computer)\Personal\Certificates
8. Right Click on Certificates Folder and click IMPORT.
9. Click Next, Browse to your certificate.cer.
10. Place it in "Personal".
11. Click Next, Finish and Close.

Then you will be able to select replace and see the certificate to change it :)

Cheers,
Hades666
0
 
tech2010Author Commented:
good stuff, will give it a go and will let you know. thanks
0
 
tech2010Author Commented:
Hades666,

I have followed your steps and imported certficate successfully in certificate stores and in IIS but when i now run "Secure Gateway Configuration Tool Wizard" and it shows me two certificate and when i select the new certificate and click on Next i get error message "The Server Certificate Specified is unuseable" and i can't go further if i select the newly imported certificate, however if i select my previous certificate then it go further. So my citrix SSL renewal process is still uncompleted as it is still showing my old SSL certificate when i logon via web interface. What is the problem here now and how can i resolve this issue. Thanks
0
 
tech2010Author Commented:
After looking this link from citrix  http://support.citrix.com/article/CTX118548

So now i  know the reason for this is that there is no private key associated with my new certificate as it does not show key icon at the bottom of the certificate in General tab, but now the question is how can i resolve this i mean how can i associate private key to this certificate which is already issued to me by godaddy?


0
 
tech2010Author Commented:
All working ok now, i tell you how i resolved this.

As per the error which clearly means that i had no private key associated to the new certificate so this is what i did to associate private key to the new certificate and then i was able to see key icon on the certificate at the bottom of general tab.

Here the link which i followed to associate private key http://support.microsoft.com/kb/889651

1. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
2. In the Certificate dialog box, click the Details tab.
3. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
4. Click Start, click Run, type cmd, and then click OK.
5. At the command prompt, type the following:
certutil -repairstore my "SerialNumber"

SerialNumber is the serial number that you wrote down in step 3.
6. In the Certificates snap-in, right-click Certificates, and then click Refresh.

The certificate now has an associated private key.

C:\>certutil -repairstore my "7e 9f 27 6f 13 38"
================ Certificate 0 ================
Serial Number: 7e9f276f1338
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=ht
tp://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=A
rizona, C=US
Subject: CN=mycitrix.pickfords.com, OU=Domain Control Validated, O=mycitrix.pick
fords.com
Non-root Certificate
Cert Hash(sha1): b4 17 55 dc 78 b1 8a 73 0a db e2 86 7a 69 e9 7c 14 40 c4 3d
  Key Container = 086e1027-0cd8-4f6d-b575-ea8efb22316a
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
0
 
BLipmanCommented:
Lol, remember when I warned you to make sure you exported and imported with the PK?  Good thing you resolved it!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 13
  • 10
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now