I'm confused by your comments Jeff as I'm not sure how that's working for you, unless you are extracting the private key and signed certificate from IIS and uploading them together. A csr is generated by using a private key. Then it's signed by a Certification body. When the signed certificate is installed, it verifies itself against the private key. This was my issue. Because I had re-imaged the CAG, it had a different private key, and therefore the signed certificate could not be verified, and would not install. Because I didn't have a copy of the private key, there was no way I was able to fix it. So the only solution (also according to Citrix) was to generate a new csr and send it off to be signed. I've just received it back, and thankfully it installed correctly. Now...I also got an answer from Citrix about the config.restore file, if anyone is interested. It's a binary format file. They have an internal tool to extract it, which is not publicly available at this point in time. Cheers. Kind regards, Jeremy Saunders Senior Technical Specialist Integrated Technology Services & Cerulean IBM Australia Level 2, 1060 Hay Street West Perth WA 6005 Visit us at http://www.ibm.com/services/au/its P: +61 8 9261 8412 F: +61 8 9261 8486 M: TBA E-mail: jeremy.saunders@xxxxxxxxxxx "Jeff Pitsch" <jepitsch@xxxxxxx om> To Sent by: thin@xxxxxxxxxxxxx thin-bounce@freel cc ists.org Subject [THIN] Re: Opening the 31/03/2006 09:30 config.restore file from the Access PM Gateway Please respond to thin I've never had a problem putting a cert on a CAG where I didn't generate the CSR from the CAG. for example, a CSR generated from IIS then transferred the cert to the CAG has worked wonderfully well. Are you sure you have the correct root imported in correctly? Jeff On 3/31/06, Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx> wrote: Hi All, Does anyone know what format the config.restore file is? It's the saved config from the Access Gateway. eg. rar, zip, tar, etc. Tried a few things, but it doesn't seem to work. The reason behind my question is that I need to restore a previously Generated CSR so that the Signed Certificate (crt) can be successfully applied. I had to re-image a box that a customer didn't have a current backup of, and I'm getting the following error when trying to import the signed crt file. (03/31/06 16:56:29): 0:controller:socket:: Using only strong cipher suites: RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES256-SHA:AES128-SHA (03/31/06 16:56:29): 0:controller:socket:: cleared existing SSL contexts (03/31/06 16:56:29): 0:controller:socket:: initialized SSL methods and contexts (03/31/06 16:56:29): 0:controller:socket:: Using only strong cipher suites: RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES256-SHA:AES128-SHA (03/31/06 16:56:29): 0:controller:socket:: cleared existing SSL contexts (03/31/06 16:56:29): 0:controller:socket:: initialized SSL methods and contexts (03/31/06 16:56:29): 0:controller:socket:: associated server certificate and private key with SSL context (03/31/06 16:56:29): 2:controller:upgraded: : failed to upgrade certificate. (verification failure). (03/31/06 16:56:29): 2:controller:service:xfer:: unable to xfer certificate file... The second last line in the log confirms that it can't be verified, and therefore fails the import. All I want to do is to "shove" the originally generated certificate request back into the config, assuming that it's backed up into there in the first place. Cheers. Kind regards, Jeremy Saunders Senior Technical Specialist Integrated Technology Services & Cerulean IBM Australia Level 2, 1060 Hay Street West Perth WA 6005 Visit us at http://www.ibm.com/services/au/its P: +61 8 9261 8412 F: +61 8 9261 8486 M: TBA E-mail: jeremy.saunders@xxxxxxxxxxx ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************