Product Documentation

Installing Certificates

Oct 20, 2015

App Controller requires root and server certificates to communicate in the following ways:

  • Between App Controller and the App Controller management console
  • Between applications and App Controller
  • Between App Controller and StoreFront
Note: You can only install Privacy Enhanced Mail (PEM) and Personal Information Exchange (.pfx) certificate files on App Controller.

You need to install multiple certificates on App Controller to facilitate secure communication. Each certificate serves a specific communication purpose.

App Controller requires the following three certificates:
  • Secure SSL server certificate that is used for secure connections to the management console and for communicating with StoreFront
  • Secure SSL server certificate for communicating between App Controller and applications that require an SSL certificate for user account management
  • Secure SSL certificate for communication between App Controller and SAML applications that require an SSL certificate

If you configure a SAML application in App Controller, such as Google Apps, you might need to upload a SAML certificate to App Controller. For more information about SAML certificates, see the application documentation.

Installing a Signed Server Certificate and Private Key on App Controller

App Controller includes a server certificate that is not signed by a trusted Certificate Authority (CA). You need to install on App Controller a digital X.509 server certificate that belongs to your company and is signed by a CA. Your company can operate as its own CA, or you can obtain a digital signed server certificate from a commercial CA, such as VeriSign or Thawte.

App Controller accepts a Privacy Enhanced Mail (PEM) format certificate file. PEM is a text format that is the Base-64 encoding of the Distinguished Encoding Rules (DER) binary format. The PEM format specifies the use of text BEGIN and END lines that indicate the type of content that is being encoded.

You can install a secure digital certificate and private key on App Controller in the following two ways:

  • Generate a Certificate Signing Request (CSR) by using the App Controller management console. When App Controller generates the CSR, App Controller creates a certificate and private key. The private key remains on App Controller and the certificate contents are copied and submitted to a CA web site for signing. When the signed certificate is returned, you install the certificate on App Controller. During installation, the signed certificate is paired with the password-protected private key. Citrix recommends that you use this method to create and install secure certificates.
  • Install a PEM certificate and private key from a Windows-based computer. By using this method, you upload a signed certificate and private key together. The certificate is signed by a CA and is paired with the private key.

To install a certificate and private key from a Windows-based computer

If you are using a load balancer or you have a signed digital certificate with a private key that is stored on a Windows-based computer, you can upload the certificate to App Controller. If the App Controller virtual machine (VM) is not located behind a load balancer, the certificate must contain the fully qualified domain name (FQDN) of App Controller. If the App Controller VM is located behind a load balancer, each appliance must contain the same certificate and private key.

  1. In the App Controller management console, click the Settings tab.
  2. In the left pane, under System Configuration, click Certificates.
  3. Click Import and then select Server (.pfx).
  4. In the Import a certificate dialog box, click Browse, navigate to the certificate and then click Open.

    When you upload the certificate to App Controller, you are asked for a password to encrypt the private key.