[THIN] Little snippet of information if your using Verisgn intermediate certs and the Access Gateway

• From: "M" <mathras@xxxxxxxxxxxxxxxx>
• To: <Thin@xxxxxxxxxxxxx>
• Date: Wed, 28 Feb 2007 22:03:11 -0000

Hello there,

I thought i would share my recent experience of using a Verisign SSL cert with 
the Access Gateway (i usually use Geotrust who are now owned by Verisign .....)

Went through the process back in December and got created a cert. I selected 
IIS 6 for the platform when generating.
Had a few external customers at remote sites complaining that they were getting 
SSL cert messages when they connected to the gateway. 
I had overlooked the fact that verisign use intermediate certs and the Access 
Gateway didnt support them.
http://support.citrix.com/article/CTX111872&searchID=39690042

I also found that if the clients werent behind a proxy server (ISA server was 
the main culprit) , the Verisign Class 3 Secure Server CA was downloaded 
automatically into Internet Explorers SSL cert store and therfore those users 
never saw an issue.

I upgraded the AG to 4.5.1 and Verisign very kindly agreed for me to redo the 
csr f.o.c (normally 100 quid after 30 days).

Went through the process again and attempted to upload the crt that Verisign 
sent. Failed to upload every time.
Started getting a bit stressed, reset the SSL cert of the Gateway via the 
serial connection and went through the process all over again.
Failed again and i spent the next 1/2 hour ranting about the Access Gateway and 
Intermediate certifcates.
Finally i realised that if you select IIS6 when submitting your csr with 
Verisign, they now include the Intermediate cert as well.
The Access Gateway failed to upload the crt file because it wasnt a crt file, 
it was a p7b file. This is not an issue for IIS6 servers but it is with the 
Gateway being a linux based device.

After renaming the file to xxx.p7b i double clicked on the file ... lo and 
behold both the cert and intermediate cert were displayed.
i was then able to extract both as base64 encoded and then follow the procedure 
laid down in CTX111872

All now working nicely and no issues with Intermediate certifcates.

I hope this may save someone else some time :¬)

M

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription