tech2010
asked on
Citrix Secure Gateway - SSL certificate renewal GoDaddy - Windows 2003 IIS
We are running Secure Gateway 3.1 with SSL cert running fine with no issue.
Our SSL certificate authority is GoDaddy. It is now time to renew the SSL certificate so I have purchased renewal for another 2 years from GoDaddy.
GoDaddy asked me to generate CSR from my server and then paste the key into their website and then they will then send me the new/renewal certificate.
I have generated CSR from IIS 6.x and when i paste it on their website i get this error "The CSR key length must be 2048 or 4096"
I am now confused here when i go to the generate CSR "Server Certificate wizard" into my IIS it does not give me any option to select bit length beacuse i am not generating a new certificate on this server so it does not give me option for "request new certificate" because there is the existing certificate install so either it gives me option to "Renew the current certificate" or "Remove the current certificate" so for me it make sense to select "Renew the currently certificate" and then it create a text file called "certreq.txt" which i then option and copy and paste into Godaddy website but i get above error. What should i do here? any help will be appriciated.
I donot want to remove the current certificate as this is the live server and users are connected to this server. Can this renewal be seemless? Thanks
SSL-certificate-CSR-request.GIF
Our SSL certificate authority is GoDaddy. It is now time to renew the SSL certificate so I have purchased renewal for another 2 years from GoDaddy.
GoDaddy asked me to generate CSR from my server and then paste the key into their website and then they will then send me the new/renewal certificate.
I have generated CSR from IIS 6.x and when i paste it on their website i get this error "The CSR key length must be 2048 or 4096"
I am now confused here when i go to the generate CSR "Server Certificate wizard" into my IIS it does not give me any option to select bit length beacuse i am not generating a new certificate on this server so it does not give me option for "request new certificate" because there is the existing certificate install so either it gives me option to "Renew the current certificate" or "Remove the current certificate" so for me it make sense to select "Renew the currently certificate" and then it create a text file called "certreq.txt" which i then option and copy and paste into Godaddy website but i get above error. What should i do here? any help will be appriciated.
I donot want to remove the current certificate as this is the live server and users are connected to this server. Can this renewal be seemless? Thanks
SSL-certificate-CSR-request.GIF
Hi,
This will get you updated with a 2048 bit ssl. The above URL is missing steps and for IIS7. Cheers.
Create temp website for request processing
1. Create new temp website in IIS.
2. Open IIS Certificate Wizard under the new site.
3. Follow the steps and set the bit length to the proper length and all the details for the ssl cert.
4. Send it to GoDaddy for processing.
Import received .cer from Godaddy.
1. Click START, RUN, MMC
2. Click File | Add/Remove Snap-in
3. Click ADD
4. Chose Certificates, Click ADD
5. Chose Computer Account.
6. Click Next, Finish, Close, OK.
7. On the left Browse to, Certificates (Local Computer)\Personal\Certifi
8. Right Click on Certificates Folder and click IMPORT.
9. Click Next, Browse to your certificate.cer.
10. Place it in "Personal".
11. Click Next, Finish and Close.
Assign it to the current proper website.
12. Open IIS Management.
13. Right Click on your website.
14. Go to Directory Security. Click on Server Certificate.
15. Click Replace current certificate.
16. select the new one you just imported from above. It should be listed in the certificate list.
If it is not, then you might have imported the certificate to the wrong store. It needs to be in "Certificates (Local Computer)\Personal\Certifi
Delete temp website.
17. Delete temp website from IIS.
Let me know how it goes.
Cheers,
Hades666
This will get you updated with a 2048 bit ssl. The above URL is missing steps and for IIS7. Cheers.
Create temp website for request processing
1. Create new temp website in IIS.
2. Open IIS Certificate Wizard under the new site.
3. Follow the steps and set the bit length to the proper length and all the details for the ssl cert.
4. Send it to GoDaddy for processing.
Import received .cer from Godaddy.
1. Click START, RUN, MMC
2. Click File | Add/Remove Snap-in
3. Click ADD
4. Chose Certificates, Click ADD
5. Chose Computer Account.
6. Click Next, Finish, Close, OK.
7. On the left Browse to, Certificates (Local Computer)\Personal\Certifi
8. Right Click on Certificates Folder and click IMPORT.
9. Click Next, Browse to your certificate.cer.
10. Place it in "Personal".
11. Click Next, Finish and Close.
Assign it to the current proper website.
12. Open IIS Management.
13. Right Click on your website.
14. Go to Directory Security. Click on Server Certificate.
15. Click Replace current certificate.
16. select the new one you just imported from above. It should be listed in the certificate list.
If it is not, then you might have imported the certificate to the wrong store. It needs to be in "Certificates (Local Computer)\Personal\Certifi
Delete temp website.
17. Delete temp website from IIS.
Let me know how it goes.
Cheers,
Hades666
ASKER
Hades666, thanks for your steps. I will give it a try and will let you know soon.
Just a quick question, By generating CSR from the temp site and applying cert on currently live cert, will it work for my current site? I was just thinking because it generated on the basis on temp site?
Just a quick question, By generating CSR from the temp site and applying cert on currently live cert, will it work for my current site? I was just thinking because it generated on the basis on temp site?
ASKER
Hades666, I just noticed that "Replace the current certificate" option is greyed out.
I have not started your process yet but i just checked to see if i can see replace the current certificate option but it is greyed out. any thoughts on this?
I have not started your process yet but i just checked to see if i can see replace the current certificate option but it is greyed out. any thoughts on this?
Hi,
Not a problem.
it is fine as long as you use the same friendly names and details etc.. The SSL is not tied to the Website. It is tied to the friendly name.
cheers,
Hades666
Not a problem.
it is fine as long as you use the same friendly names and details etc.. The SSL is not tied to the Website. It is tied to the friendly name.
cheers,
Hades666
That is because you only have 1 certificate currently in your store. Once you get the 2nd one, you will be able to replace it.
:)
Hades666
:)
Hades666
ASKER
ah. ic. thats good.
Is it safe that i create temp site on different machine to gernerate CSR, is it also not tied to the machine?
Is it safe that i create temp site on different machine to gernerate CSR, is it also not tied to the machine?
Never tried that. I would think it should on the same machine to ensure the encryption is correct.
Just a though,
Hades666
Just a though,
Hades666
ASKER
yes i think that make sense it must be tied to machine when generating key, will let you know. thanks again.
You should probably export the private key into a file with the cert before taking down the temp site and then you have everything you could need. Otherwise I think the above instructions will do exactly what you need. Remember to run the Secure Gateway Config tool once you have imported the new cert into IIS so you can choose the updated one; this is a two step process!
ASKER
BLipman, I could not understand what you meant by exporting private key into a file before taking down the temp site. I will not be importing anything into temp site so what should i export? please explain.
Thanks for reminding me to run Secure Gateway config tool after importing new cert into IIS. I thnk i was going to miss this step. thanks again.
Thanks for reminding me to run Secure Gateway config tool after importing new cert into IIS. I thnk i was going to miss this step. thanks again.
ASKER
Hades666,
Just a quick question, I have completed 1 to 4 steps from your process. I have received .zip cert bundle from Godaddy. It has two files included in the zip, one is .crt and second is .p7b
What is .p7b, do i need to use this somewhere as well or as you just mentioned that import .cert file into localmachine/personal/cert
Also once i have imported the certificate and configured IIS and Secure Gateway. Do i need to select "Disable all purposes..." on previous certificate under localmachine/personal/cert
thanks
Just a quick question, I have completed 1 to 4 steps from your process. I have received .zip cert bundle from Godaddy. It has two files included in the zip, one is .crt and second is .p7b
What is .p7b, do i need to use this somewhere as well or as you just mentioned that import .cert file into localmachine/personal/cert
Also once i have imported the certificate and configured IIS and Secure Gateway. Do i need to select "Disable all purposes..." on previous certificate under localmachine/personal/cert
thanks
Hi,
The .P7B file only contains certificates and chain certificates, not the private key. ThePKCS #7 is a container which may contain plain data, signed data, encrypted data, or combination of these. It may also contain set of certificates needed to validate the certification chain.
CRT, typically it is a binary X.509 certificate, encapsulated in text (base-64) encoding. This is what IIS needs :)
Import the .P7B to the default container and the the CRT to " localmachine/personal/cert
Lastly, to be secure after removing the old cert from IIS,I would suggest diabling it. There is no real harm if you don't because IIS will no be serving or responding to it.
Let me know how it goes.
Cheers,
Hades666
The .P7B file only contains certificates and chain certificates, not the private key. ThePKCS #7 is a container which may contain plain data, signed data, encrypted data, or combination of these. It may also contain set of certificates needed to validate the certification chain.
CRT, typically it is a binary X.509 certificate, encapsulated in text (base-64) encoding. This is what IIS needs :)
Import the .P7B to the default container and the the CRT to " localmachine/personal/cert
Lastly, to be secure after removing the old cert from IIS,I would suggest diabling it. There is no real harm if you don't because IIS will no be serving or responding to it.
Let me know how it goes.
Cheers,
Hades666
Straight from Godaddy Support.
Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b)
1.Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2.In the Management Console, select File; then "Add/Remove Snap In."
3.In the Add/Remove Snap-In dialog, select Add.
4.In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5.Choose Computer Account; then click Next and Finish.
6.Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file (gd_iis_intermediates.p7b)
11.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
12.Click Finish.
Hades666
Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b)
1.Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2.In the Management Console, select File; then "Add/Remove Snap In."
3.In the Add/Remove Snap-In dialog, select Add.
4.In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5.Choose Computer Account; then click Next and Finish.
6.Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7.If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
9.Follow the wizard prompts to complete the installation procedure.
10.Click Browse to locate the certificate file (gd_iis_intermediates.p7b)
11.Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
12.Click Finish.
Hades666
ASKER
Hadee66, you confused me here, so which one i should follow i mean what file i should then import .crt or .p7b?
Sorry about that :( . I tend it provide alot of information at times.
the .p7b is the Godaddy certificate Chain. you should follow the instructions provided by them - they are same ones i copied from a request i did through them a couple months ago.
The .crt needs to be imported into the localmachine/personal/cert
The reason what hte .crt is import this way is because you are not renewing it through IIS Management, you will be simply replacing it.
Does this help,
Hades666
In general, when you move a cert, you don't want to lose the private key. When you go into MMC->certificates, find the cert, export, check the box to export the private key.
ASKER
so in other word i need to import both files?
Yes, both files are required.
Hades666
Hades666
ASKER
ok so i guess then when i am in mmc i need to import .p7b under "Intermediate Certification Authorities" not in "Personal/Certificate" and once i have imported .p7b then i can go in IIS and where i will select replace the certificate (hopeflully if not greyed out) and will select .crt this time and this should do the job. is it ok?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
good stuff, will give it a go and will let you know. thanks
ASKER
Hades666,
I have followed your steps and imported certficate successfully in certificate stores and in IIS but when i now run "Secure Gateway Configuration Tool Wizard" and it shows me two certificate and when i select the new certificate and click on Next i get error message "The Server Certificate Specified is unuseable" and i can't go further if i select the newly imported certificate, however if i select my previous certificate then it go further. So my citrix SSL renewal process is still uncompleted as it is still showing my old SSL certificate when i logon via web interface. What is the problem here now and how can i resolve this issue. Thanks
I have followed your steps and imported certficate successfully in certificate stores and in IIS but when i now run "Secure Gateway Configuration Tool Wizard" and it shows me two certificate and when i select the new certificate and click on Next i get error message "The Server Certificate Specified is unuseable" and i can't go further if i select the newly imported certificate, however if i select my previous certificate then it go further. So my citrix SSL renewal process is still uncompleted as it is still showing my old SSL certificate when i logon via web interface. What is the problem here now and how can i resolve this issue. Thanks
ASKER
After looking this link from citrix http://support.citrix.com/article/CTX118548
So now i know the reason for this is that there is no private key associated with my new certificate as it does not show key icon at the bottom of the certificate in General tab, but now the question is how can i resolve this i mean how can i associate private key to this certificate which is already issued to me by godaddy?
So now i know the reason for this is that there is no private key associated with my new certificate as it does not show key icon at the bottom of the certificate in General tab, but now the question is how can i resolve this i mean how can i associate private key to this certificate which is already issued to me by godaddy?
ASKER
All working ok now, i tell you how i resolved this.
As per the error which clearly means that i had no private key associated to the new certificate so this is what i did to associate private key to the new certificate and then i was able to see key icon on the certificate at the bottom of general tab.
Here the link which i followed to associate private key http://support.microsoft.com/kb/889651
1. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
2. In the Certificate dialog box, click the Details tab.
3. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
4. Click Start, click Run, type cmd, and then click OK.
5. At the command prompt, type the following:
certutil -repairstore my "SerialNumber"
SerialNumber is the serial number that you wrote down in step 3.
6. In the Certificates snap-in, right-click Certificates, and then click Refresh.
The certificate now has an associated private key.
C:\>certutil -repairstore my "7e 9f 27 6f 13 38"
================ Certificate 0 ================
Serial Number: 7e9f276f1338
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=ht
tp://certificates.godaddy.
rizona, C=US
Subject: CN=mycitrix.pickfords.com,
fords.com
Non-root Certificate
Cert Hash(sha1): b4 17 55 dc 78 b1 8a 73 0a db e2 86 7a 69 e9 7c 14 40 c4 3d
Key Container = 086e1027-0cd8-4f6d-b575-ea
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
As per the error which clearly means that i had no private key associated to the new certificate so this is what i did to associate private key to the new certificate and then i was able to see key icon on the certificate at the bottom of general tab.
Here the link which i followed to associate private key http://support.microsoft.com/kb/889651
1. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
2. In the Certificate dialog box, click the Details tab.
3. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
4. Click Start, click Run, type cmd, and then click OK.
5. At the command prompt, type the following:
certutil -repairstore my "SerialNumber"
SerialNumber is the serial number that you wrote down in step 3.
6. In the Certificates snap-in, right-click Certificates, and then click Refresh.
The certificate now has an associated private key.
C:\>certutil -repairstore my "7e 9f 27 6f 13 38"
================ Certificate 0 ================
Serial Number: 7e9f276f1338
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=ht
tp://certificates.godaddy.
rizona, C=US
Subject: CN=mycitrix.pickfords.com,
fords.com
Non-root Certificate
Cert Hash(sha1): b4 17 55 dc 78 b1 8a 73 0a db e2 86 7a 69 e9 7c 14 40 c4 3d
Key Container = 086e1027-0cd8-4f6d-b575-ea
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
Lol, remember when I warned you to make sure you exported and imported with the PK? Good thing you resolved it!
There is no way to do this with the current site. You will need to either remove it and create new request or create a dummy temp site to create the request and then assign it to your current website.
1. Create new website in IIS.
2. Open IIS Certificate Wizard under the new site.
3. Follow the steps and set the bit length to the proper length and all the details for the ssl cert.
4. Send it to GoDaddy for processing.
5. When you receive the certificate add it to your certificate store by double clicking on it and installing
it.
6. Open IIS and remove the certificate from your current site and ASSIGN the new certificate to your
Website.
If you need more details steps, please let me know.
Cheers,
Hades666