Objective
This article describes how to create a certificate using OpenSSL in combination with a Windows Certificate Authority that can be used with a XenServer 7.1 CU2 or XenServer 7.0 host
To enable trusted TLS communication between Citrix Hypervisor and Citrix Virtual Apps and Desktops, a trusted certificate is required on the Citrix Hypervisor host.
- For Citrix Hypervisor 8.2 and later, do not follow this article. Instead create a separate certificate and key file and use XenCenter or the xe CLI to install the certificate on your server. For more information, seeInstall a TLS certificate on your serverin the product documentation.
- For earlier versions of XenServer, you can use the method described in this article to create a certificate. This method is similar to CTX128617 -How to Use IIS to Acquire SSL Certificates for XenServer, except OpenSSL is used to generate the certificate requests. Note that these steps are not recommended or supported.
该方法可以轻易替代cert照本宣科ificates after expiration, and also gives the ability to store the certificate key pair. If a Citrix Hypervisor server requires rebuilding, there is no need to repeat the request process. Simply upload the archived key pair to the server.
The following steps simulate creating a certificate for a Citrix Hypervisor server named “server1” in the domain “domain.com”. The Certificate Authority is namedCA1on serverDOMAINCA. The password used for the private key pair is “citrixpass”.
Instructions
Following are the requirements:
Microsoft Certificate Authority
Complete the following procedure:
Install OpenSSL on a workstation or server. Ensure that the user performing the certificate request has adequate permissions to request and issue certificates.
Create a configuration file (req.conf) for the certificate request:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany CN = server1.example.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = server1.example.com
Ensure there are no whitespaces at the end of the lines. Adjust Common name, Organization, Country, State, and Location to reflect your information. If you want to verify your certificate through a browser, ensure that you include the server hostname as a Subject Alternate Name (SAN).
- Create the certificate request and private key:
openssl req -newkey rsa:2048 -keyout xenserver1prvkey.pem -nodes -out server1.req -config req.conf
创建请求的更多细节,请参考toOpenSSL req commands.
Submit the request to Windows Certificate Authority using CertReq:
certreq -submit -binary -attrib "CertificateTemplate:WebServer" -config DOMAINCA\CA1 server1.req server1.cer
Windows Certificate Authorities only export certificates in Base64 or Binary encoding. Base64 is the default, so binary encoding requires the extra switch-binary.
For full CertReq syntax, refer toCertReq Command Line ReferenceConvert the issued certificate to PEM format:
openssl x509 -inform der -in server1.cer -out server1.pemMerge the issued certificate and private key into Pkcs12 format.
openssl pkcs12 -export -inkey server1prvkey.pem -in server1.pem -out server1.pfx -passout pass:citrixpassConvert the Pkcs12 key pair into a PEM keypair for importing into XenServer.
openssl pkcs12 -in server1.pfx -out server1keypair.pem -nodes -password pass:citrixpassFor Citrix Hypervisor 8.1 and earlier, there is no supported mechanism for installing new certificates in the Citrix Hypervisor server. You can follow the steps in CTX128617 -How to Use IIS to Acquire SSL Certificates for XenServer, but these steps are not recommended or supported.
Additional Resources
- Install a TLS certificate on your serverin the Citrix Hypervisor 8.2 product documentation.
- Install a TLS certificate on your serverin the XenCenter product documentation.