I'll try that next time - I wound up breaking down and going with RapidSSL, which worked correctly the first time. FWIW, they have a free crossgrade offer going specifically for Comodo customers. RapidSSL was completely painless, aside from some incorrect WHOIS information causing problems with validation. thanks, --Durf On Mon, Feb 9, 2009 at 9:47 PM, Rick Mack <ulrich.mack@xxxxxxxxx> wrote: > Hi, > > Try the following: > > Citrix Access Gateway SSL certificate installation: > > 1. > > In the "Administration Tool," select the "Access Gateway Cluster" tab > and then open the window for the appliance. > 2. > > Under "Administration," select select "Browse" next to "Upload a .crt > signed certificate." > 3. > > Browse to the your_domain_com.crt file that you received and click > "Open." > > You can alternately install the your_domain_com.crt file through the > "Administration Portal" by clicking "Maintenance," "Add a signed > certificate > (.crt)," and then browsing to the file. > > After installing the primary server certificate (which will enable SSL > encryption), you will need to upload the TrustedRoot.crt and > IntermediateCA.crt files to the device (which will allow for the > certificate > to be trusted). > 4. > > Open your TrustedRoot.crt and IntermediateCA.crt files in a text editor > (such as Wordpad). > 5. > > Copy the contents of the TrustedRoot.crt file below the last line of > the IntermediateCA.crt file as figured below: > > -----BEGIN CERTIFICATE----- > (Your Intermediate certificate: IntermediateCA.crt) > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > (Your Root certificate: TrustedRoot.crt) > -----END CERTIFICATE----- > 6. > > Save the combined file as Chain.pem > 7. > > From the "Access Gateway Cluster" tab, open the window for the > appliance. > 8. > > From the "Administration" tab, select the option to "Manage trusted > root certificates." > 9. > > Click "Upload Trusted Root Certificate." Find the chain.pem file and > then click "Open." > > regards, > > Rick > > -- > Ulrich Mack > Quest Software > Provision Networks Division > >> Am I totally missing something, or does the CAG just have problems with >> intermediate certs? I've followed the various KB articles about pasting in >> the intermediate cert's certificate into a text file along with your server >> cert, but whatever I do the CAG just doesn't want to accept it, with the >> generic 'validation failed' log message. I've reissued the cert with new >> CSR's twice now. Does anyone have any insights before I take advantage of >> RapidSSL's free competitive upgrade offer? >> >> -- Durf > > > > > -- -------------- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks!