How to Convert a PKCS #7 Certificate to PEM Format for Use with NetScaler

This article describes how to convert a certificate that is received from the Certificate Authority (CA) in PKCS #7 format to PEM format.

Background

This is an alternative method of converting a PKCS #7 Certificates to PEM format, rather than using Open SSL, which sometimes might not work correctly. You receive a certificate from the CA in PKCS #7 [Crypto Graphic message syntax standard] format. The file extension for the certificate is .p7b.

Related:

  • No Related Posts

Error:”An SSL connection to the server couldn't be established” while trying to authenticate to StoreFront using Linux Receiver

1. Obtain the root certificate in PEM format.

Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.

2. As the user who installed the package (usually root):

  • Copy the file to $ICAROOT/keystore/cacerts.
  • Run the following command: $ICAROOT/util/ctx_rehash

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Linux

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the server certificate.

Use a root certificate

If you need to authenticate a server certificate that was issued by a certificate authority and is not yet trusted by the user device, follow these instructions before adding a StoreFront store.

  1. Obtain the root certificate in PEM format.

    Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.
  2. As the user who installed the package (usually root):
    1. Copy the file to $ICAROOT/keystore/cacerts.
    2. Run the following command:
      $ICAROOT/util/ctx_rehash

Use an intermediate certificate

If your StoreFront server is not able to provide the intermediate certificates that match the certificate it is using, or you need to install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store.

  1. Obtain the intermediate certificate(s) separately in PEM format.

    Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.
  2. As the user who installed the package (usually root):
    1. Copy the file(s) to $ICAROOT/keystore/intcerts.
    2. Run the following command as the user who installed the package:
      $ICAROOT/util/ctx_rehash

Related:

  • No Related Posts

Unable to establish VPN Connection with Citrix SSO app [Certificate basd Auth] for Android Enterprise

In the CEM environment when the client certificate is deployed using credential policy, it generates a random alias for the certificate and the same alias name should be used in the Managed Configurations for Citrix SSO app config certificate alias field as shown in the following figure:

The Certificate Alias shows as optional, however, it is needed for Certificate based Authentication, without which it will fail to establish VPN.

We can capture the Certificate Alias from one of the following methods:

Method 1: On the enrolled Android device

The admin should first deploy the client certificate on a test device and then make a note of the alias name when SecureHub asks to install the client certificate and use the same in the Certificate Alias field under Managed configurations.

Method 2: Using Citrix SSO app logs

Another option to get the certificate alias is through the Citrix SSO app logs from the device (email it to yourself from Citrix SSO Logs screen) and then look for log statement as shown below in CtxLog_com.citrix.CitrixVPN*.csv files.

"Ignoring selected certificate alias [XXXXXX] because it does not match with required alias [YYYYYY]"

From this log line you can infer that the alias provisioned in the VPN profile is YYYYYY​ and the one really installed on the device is XXXXXX​. They should match for the VPN to work, make sure to use the alias XXXXXX (the one selected by user) in the VPN profile and update in the Certificate alias field.

Method 3: From CEM debug logs

After deploying the client certificate, capture the CEM debug logs and look for following log message and update the Certificate alias field in the Managed configurations.


2020-03-19T03:06:10.137+0000 | | INFO | http-nio-10080-exec-10 | EWSession | Create unknown in DB credential=XXXXXXXXXXXX certificate for 27cp1_20170407155318257

Related:

Federated Authentication Service (FAS) | Unable To Launch App “Invalid User Name Or Wrong Password”

Federated Authentication Service (FAS) | Unable to launch apps “Invalid user name or wrong password”

System logs:

Event ID 8

The domain controller rejected the client certificate of user U1@abc.com, used for smart card logon. The following error was returned from the certificate validation process: A certificate chain processed correctly, but one of the CA certificate is not trusted by the policy provider.

Related:

  • No Related Posts

Error: “Invalid Certificate” When Installing SSL Certificate on ADC Appliance

Hidden Control Characters in CertificateKey File

You can use OpenSSL implementation of BSD Unix distribution on ADC to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the/nsconfig/ssl directory of the ADC appliance.

    The Certificate and Key files can also be uploaded to the ADC using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:

    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the ADC appliance by using the new exported version of the files.

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 – How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Related:

  • No Related Posts

How to Decrypt SSL and TLS Traffic Using Wireshark

Private Key Format

Wireshark can decrypt SSL traffic provided that you have the private key. The private key has to be in a decrypted PKCS#8 PEM format (RSA). You can open and verify the key file. If it is in binary, then it is likely to be in a DER format, which cannot be used with Wireshark.

You can use OpenSSL to convert the key. For example, converting a PKCS#8 DER key to a decrypted PKCS#8 PEM format (RSA) key.

At the $ prompt enter the following command:

openssl pkcs8 -nocrypt -in der.key -informat DER -out pem.key -outformat PEM

Where:

der.key is the file name and path to the DER key file.

pem.key is the file name and path to the PEM key file output.

The decrypted PKCS#8 PEM format (RSA) key must be similar to the following screen shot:

User-added image

Notice that the key begins with:

—–BEGIN RSA PRIVATE KEY—–

If it begins with:

—–BEGIN ENCRYPTED PRIVATE KEY—–

Then the key is encrypted and needs to be decrypted with the right passphrase. You can again use OpenSSL to do this.

  1. At the $prompt, issue the following command:

    openssl rsa

    If you issue this command without arguments, you are prompted as follows:

    read RSA key

  2. Type the name of the key file to be decrypted.

    You can type the openssl rsa command with arguments if you know the name of the private key and the decrypted PEM file.

    For example, if the private key filename is myprivkey.pvk and the decrypted filename is keyout.pem, the command is:

    openssl rsa –in myprivkeypvk -out keyout.pem

Helpful Links

User-added image

Related:

  • No Related Posts

Error: “Invalid Certificate” When Installing SSL Certificate on NetScaler Appliance

Hidden Control Characters in CertificateKey File

You can use OpenSSL implementation of BSD Unix distribution on NetScaler to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the /nsconfig/ssl directory of the NetScaler appliance.

    The Certificate and Key files can also be uploaded to the NetScaler using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:

    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the NetScaler appliance by using the new exported version of the files.

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 – How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Related:

  • No Related Posts

Error “Invalid Login” on launch of FAS enabled Linux VDA Desktop.

You need to have the Kerberos Authentication certificate on all the domain controllers. To enroll for a new certificate follow the below steps.

1.On the domain controller, open mmc.

2.Click File, Click Add/Remove Snap-in.

3.Select Certificates, click Add, then select Computer account.

4.Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.

5.Press Next.

6.Select Kerberos Authentication and press Enroll.

Note: If you do not see the Kerberos Authentication on the Auto Enrollment in the Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give AutoEnroll permissions.

Also, make sure you have configured krb5.conf on the VDA with the correct RootCA & Subordinate CA certificate information.

Refer ‘Incorrect root CA certificate configuration’ section in the below link:

https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration/federated-authentication-service.html/

Related:

  • No Related Posts