Product Documentation

Manually install a certificate used by the Citrix Licensing Manager and Web Services for Licensing

May 22, 2017

Note

Use this procedure if you are a Director or Studio administrator who doesn't want to use the self-signed certificate that is generated during installation.

Create a certificate

To install a certificate, there are three steps:

  1. Obtain a .pfx file, which contains the certificate and private key. You can use one of two methods to obtain the .pfx file.
  2. Extract the certificate and private key from the .pfx file.
  3. Install the certificate and private key on to the License Server.

Step 1, method 1 - Obtain the .pfx file using a domain certificate

Log on to a server in the domain, open the MMC, and follow these steps:

  1. Create a directory c:\ls_cert to hold the exported .pfx file.
  2. Add the Certificate snap-in by selecting File > Add/Remove Snap-in > Certificates > Computer account > Local computer.
  3. In the left pane under Certificates, right-click Personal and choose All Tasks > Request New Certificate, and then click Next.
  4. In the Certificate Enrollment Policy wizard, choose Active Directory Enrollment Policy, and click Next. Select the check box next to Computer, and select Details to the right.
  5. Select Properties and on the General tab, type a friendly name and description.
  6. On the Subject tab, under Subject Type, choose Common name from the Type drop-down menu. Type a friendly name in the text box, click Add, and then click Apply.
  7. On the Extensions tab, choose Key usage from the drop-down menu, add Digital signature and Key encipherment to the Selected options box.
  8. On the Extended Key Usage drop-down menu, add Server Authentication and Client Authentication to the Selected options box.
  9. On the Private Key tab and under the Key options drop-down menu, ensure that the Key size is 2048. Select the Key Exportable check box, and then click Apply.
  10. On the Certification Authority tab, ensure that the CA check box is selected, and click OK > Enroll > Finish.
  11. In the Certificates console, select Personal > Certificates, click the certificate you built. Select All Tasks > Export > Next, and select the Yes, Export the Private Key radio button and Next.
  12. Under Personal Information Exchange - PKCS #12(.PFX), select the check box to include all certificates, click Next, create a password, and click Next.
  13. Click Browse, navigate to C:\ls_cert and type server.PFX, and then follow the wizard to finish.

Step 1, method 2 - Obtain the .pfx file sending a request to a Certificate Authority (CA)

These steps might vary based on your Certificate Authority.

  1. Log on to the License Server, open the MMC, and follow these steps:
    1. Add the Certificate snap-in by selecting File > Add/Remove Snap-in > Certificates > Computer account > Local computer.
    2. In the left pane under Certificates, right-click Personal and choose All Tasks > Advance Operations > Create Custom Request, and click Next.
    3. In the Certificate Enrollment Policy wizard, choose Proceed without enrollment policy under Custom Request, and click Next.
    4. On the Custom request screen, choose (No template) CNG key from the drop-down menu and PKCS#10 for the Request format, and click Next.
    5. On the Certificate Information screen, choose Details and click Properties.
    6. On the General tab, type a friendly name and description.
    7. On the Subject tab, under Subject name, choose Common name and type a value in the text box.
    8. On the Extensions tab, choose Key usage from the drop-down menu, add Digital signature and Key encipherment.
    9. On the Extensions tab, choose Enhanced Key usage from the drop-down menu, add Server Authentication and Client Authentication.
    10. On the Private Key tab, under Cryptographic Service Provider, choose RSA, Microsoft Software Key Storage Provider (the default). From the Key options drop-down menu, ensure that the key size is 2048,  select the Key Exportable check box, and then click Apply.
    11. Save the file to a .req file, submit the .req file to a Certificate Authority (CA), and save the .cer file.
  2. In the MMC, under Certificates, right-click Personal and choose All Tasks > Import. In the Import wizard, select the .cer file.
  3. Create a directory c:\ls_cert to hold the exported .pfx file.
  4. In the Certificates console, select Personal > Certificates, and click the certificate you just imported. Select All Tasks > Export > Next, and select the Yes, Export the Private Key radio button and Next.
  5. Under Personal Information Exchange - PKCS #12(.PFX), select the check box to include all certificates, click Next, create a password, and then click Next.
  6. Click Browse, navigate to C:\ls_cert and type server.PFX, and then follow the wizard to finish.

Step 2 - Extract the certificate and private key

This step requires OpenSSL or another tool that allows you to extract the certificate and private key from a .pfx file.

Important: The version of OpenSSL shipped with the License Server does not support extracting certificates and private keys. For information about downloading OpenSSL, go to www.openssl.org. Citrix recommends installing OpenSSL on a separate workstation to perform these steps:
  1. Navigate to the <openssl directory>\bin folder.
  2. Run openssl pkcs12 -in C:\ls_cert\server.pfx -out server.crt -nokeys
    Note: The License Server uses only the .crt certificate format.
  3. Type the password created during the export process (password).
  4. Run openssl pkcs12 -in C:\ls_cert\server.pfx -out server.key -nocerts -nodes
  5. Type the password created during the export process (password).

Step 3 - Install the .crt and .key files on the License Server

Windows - Web Services for Licensing:

  1. Copy the server.crt and server.key created above to cd \program files (x86)\citrix\licensing\WebServicesForLicensing\Apache\conf\.
  2. Restart the Citrix Web Services for Licensing service.

Windows - License Administration Console:

  1. Copy the server.crt and server.key created above to c:\Program Files (x86)\Citrix\Licensing\LS\conf.
  2. Restart the Citrix Licensing service.

VPX:

  1. Copy the server.crt and server.key created above to /opt/citrix/licensing/LS/conf/.
  2. etc/init.d/citrixlicensing stop
  3. etc/init.d/citrixlicensing start