[prev in list] [next in list] [prev in thread] [next in thread]
List: thin
Subject: [THIN] Little snippet of information if your using Verisgn intermediate certs and the Access Gateway
From: "M" <mathras () blueyonder ! co ! uk>
Date: 2007-02-28 22:03:11
Message-ID: 003f01c75b84$42f917e0$6318a8c0 () bottomburp
[Download RAW message or body]
Hello there,
I thought i would share my recent experience of using a Verisign SSL cert with the \
Access Gateway (i usually use Geotrust who are now owned by Verisign .....)
Went through the process back in December and got created a cert. I selected IIS 6 \
for the platform when generating. Had a few external customers at remote sites \
complaining that they were getting SSL cert messages when they connected to the \
gateway. I had overlooked the fact that verisign use intermediate certs and the \
Access Gateway didnt support them. \
http://support.citrix.com/article/CTX111872&searchID=39690042
I also found that if the clients werent behind a proxy server (ISA server was the \
main culprit) , the Verisign Class 3 Secure Server CA was downloaded automatically \
into Internet Explorers SSL cert store and therfore those users never saw an issue.
I upgraded the AG to 4.5.1 and Verisign very kindly agreed for me to redo the csr \
f.o.c (normally 100 quid after 30 days).
Went through the process again and attempted to upload the crt that Verisign sent. \
Failed to upload every time. Started getting a bit stressed, reset the SSL cert of \
the Gateway via the serial connection and went through the process all over again. \
Failed again and i spent the next 1/2 hour ranting about the Access Gateway and \
Intermediate certifcates. Finally i realised that if you select IIS6 when submitting \
your csr with Verisign, they now include the Intermediate cert as well. The Access \
Gateway failed to upload the crt file because it wasnt a crt file, it was a p7b file. \
This is not an issue for IIS6 servers but it is with the Gateway being a linux based \
device.
After renaming the file to xxx.p7b i double clicked on the file ... lo and behold \
both the cert and intermediate cert were displayed. i was then able to extract both \
as base64 encoded and then follow the procedure laid down in CTX111872
All now working nicely and no issues with Intermediate certifcates.
I hope this may save someone else some time :¬)
M
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1561" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hello there,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I thought i would share my recent experience of
using a Verisign SSL cert with the Access Gateway (i usually use Geotrust who
are now owned by Verisign .....)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Went through the process back in December and got
created a cert. I selected IIS 6 for the platform when generating.</FONT></DIV>
<DIV><FONT face=Arial size=2>Had a few external customers at remote
sites complaining that they were getting SSL cert messages when they
connected to the gateway. </FONT></DIV>
<DIV><FONT face=Arial size=2>I had overlooked the fact that verisign use
intermediate certs and the Access Gateway didnt support them.</FONT></DIV>
<DIV><FONT face=Arial size=2><A
href="http://support.citrix.com/article/CTX111872&searchID=39690042">http://support.citrix.com/article/CTX111872&searchID=39690042</A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I also found that if the clients werent behind
a proxy server (ISA server was the main culprit) , the Verisign Class 3
Secure Server CA was downloaded automatically into Internet Explorers SSL cert
store and therfore those users never saw an issue.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I upgraded the AG to 4.5.1 and Verisign
very kindly agreed for me to redo the csr f.o.c (normally 100 quid after 30
days).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Went through the process again and attempted to
upload the crt that Verisign sent. Failed to upload every time.</FONT></DIV>
<DIV><FONT face=Arial size=2>Started getting a bit stressed, reset the SSL cert
of the Gateway via the serial connection and went through the process all over
again.</FONT></DIV>
<DIV><FONT face=Arial size=2>Failed again and i spent the next 1/2 hour ranting
about the Access Gateway and Intermediate certifcates.</FONT></DIV>
<DIV><FONT face=Arial size=2>Finally i realised that if you select IIS6 when
submitting your csr with Verisign, they now include the Intermediate cert
as well.</FONT></DIV>
<DIV><FONT face=Arial size=2>The Access Gateway failed to upload the crt file
because it wasnt a crt file, it was a p7b file. This is not an issue for IIS6
servers but it is with the Gateway being a linux based device.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>After renaming the file to xxx.p7b i double clicked
on the file ... lo and behold both the cert and intermediate cert were
displayed.</FONT></DIV>
<DIV><FONT face=Arial size=2>i was then able to extract both as base64 encoded
and then follow the procedure laid down in CTX111872</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>All now working nicely and no issues with
Intermediate certifcates.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I hope this may save someone else some time
> ¬)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>M</FONT></DIV></BODY></HTML>
SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
************************************************
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic