Product Documentation

Manually install a certificate used by the Simple License Service

Sep 02, 2014

Create a certificate

To install a certificate, there are three steps:

  1. Obtain a .pfx file, which contains the certificate and private key. You can use one of two methods to do this.
  2. Extract the certificate and private key from the .pfx file.
  3. Install the certificate and private key on to the License Server.

Step 1, method 1 — Obtain the .pfx file using a domain certificate

Log on to a server in the domain, open the MMC, and follow these steps:

  1. Create a directory c:\ls_cert to hold the exported .pfx file.
  2. Add the Certificate snap-in by selecting File > Add/Remove Snap-in > Certificates > Computer account > Local computer.
  3. In the left pane under Certificates, right-click Personal and choose All Tasks > Request New Certificate, and then click Next.
  4. In the Certificate Enrollment Policy wizard, choose Active Directory Enrollment Policy, click Next, and then select the check box next to Computer, and select Details to the right.
  5. Select Properties and on the General tab, type a friendly name and description.
  6. On the Subject tab, under Subject Type, choose Common name from the Type drop-down menu, type a friendly name in the text box, click Add, and then click Apply.
  7. On the Extensions tab, choose Key usage from the drop-down menu, add Digital signature and Key encipherment to the Selected options box.
  8. On the Extended Key Usage drop-down menu, add Server Authentication and Client Authentication to the Selected options box. .
  9. On the the Private Key tab and under the Key options drop-down menu, ensure that the Key size is 2048 and select the Key Exportable check box, and then click Apply.
  10. On the Certification Authority tab, ensure the CA check box is selected, and click OK > Enroll > Finish.
  11. In the Certificates console, select Personal > Certificates, click the certificate you built, select All Tasks > Export > Next, and select the Yes, Export the Private Key radio button and Next.
  12. Under Personal Information Exchange – PKCS #12(.PFX), select the check box to include all certificates, click Next, create a password, and click Next.
  13. Click Browse, navigate to C:\ls_cert and type server.PFX, and then follow the wizard to finish.

Step 1, method 2 — Obtain the .pfx file sending a request to a Certificate Authority (CA)

These steps might vary based on your Certificate Authority.

  1. Log on to the License Server, open the MMC, and follow these steps:
    1. Add the Certificate snap-in by selecting File > Add/Remove Snap-in > Certificates > Computer account > Local computer.
    2. In the left pane under Certificates, right-click Personal and choose All Tasks > Advance Operations > Create Custom Request, and click Next.
    3. On the Custom request screen, choose (No template) CNG key from the drop-down menu and PKCS#10 for the Request format, and click Next.
    4. On the Certificate Information screen, choose Details and click Properties.
    5. On the General tab, type a friendly name and description.
    6. On the Subject tab, under Subject name, choose Common name and type a value in the text box.
    7. On the Extensions tab, choose Key usage from the drop-down menu, add Digital signature and Key encipherment.
    8. On the Extensions tab, choose Enhanced Key usage from the drop-down menu, add Server Authentication and Client Authentication.
    9. On the Private Key tab, choose RSA, Microsoft Software Key Storage Provider (the default) and from the drop-down menu choose Key options and 2048 for the Key size and Make private key exportable.
    10. Save the file to a .req file, submit the .req file to a Certificate Authority (CA), and save the .cer file.
  2. In the MMC, select Certificates > Personal > Certificates and right-click All Tasks > Import. In the Import wizard, select the .cer file.
  3. Create a directory c:\ls_cert to hold the exported .pfx file.
  4. In the Certificates console, select Personal > Certificates, click the certificate you just imported, select All Tasks > Export > Next, and select the Yes, Export the Private Key radio button and Next.
  5. Under Personal Information Exchange – PKCS #12(.PFX), select the check box to include all certificates, click Next, create a password, and then click Next.
  6. Click Browse, navigate to C:\ls_cert and type server.PFX, and then follow the wizard to finish.

Step 2 — Extract the certificate and private key

This step requires OpenSSL or another tool that allows you to extract the certificate and private key from a .pfx file.

Important: The version of OpenSSL shipped with the License Server does not support extracting certificates and private keys. You can download OpenSSL for Windows at https://www.openssl.org/related/binaries.html. Citrix recommends installing OpenSSL on a separate workstation to perform these steps:
  1. Navigate to the <openssl directory>\bin folder.
  2. Run openssl pkcs12 -in C:\ls_cert\server.pfx -out server.crt -nokeys
    Note: The License Server uses only the .crt certificate format.
  3. Type the password created during the export process (password).
  4. Run openssl pkcs12 -in C:\ls_cert\server.pfx -out server.key -nocerts –nodes
  5. Type the password created during the export process (password).

Step 3 — Install the .crt and .key files on the License Server

  1. Copy the server.crt and server.key created above to cd \program files (x86)\citrix\licensing\WebServicesForLicensing\Apache\conf\
  2. Restart the Simple License Service.