Global site certificates
A global site certificate is a special-purpose server certificate whose key length is greater than 128 bits. A global site certificate consists of a server certificate and an accompanying intermediate-CA certificate. You must import the global site certificate and its key from the server to the Citrix ADC appliance.
How global site certificates work
Export versions of browsers use 40-bit encryption to initiate connections to SSL Web-servers. The server responds to connection requests by sending its certificate. The client and server then decide on an encryption strength based on the server certificate type:
- If the server certificate is a normal certificate and not a global site certificate, the export client and server complete the SSL handshake and uses 40-bit encryption for data transfer.
- If the server certificate is a global site certificate (and if the export client feature is supported by the browser), the export client automatically upgrades to 128-bit encryption for data transfer.
If the server certificate is a global site certificate, the server sends its certificate, along with the accompanying intermediate-CA certificate. The browser first validates the intermediate-CA certificate by using one of the Root-CA certificates that are normally included in web browsers. Upon successful validation of the intermediate-CA certificate, the browser uses the intermediate-CA certificate to validate the server certificate. Once the server is successfully validated, the browser renegotiates (upgrades) the SSL connection to 128-bit encryption.
With Microsoft’s Server Gated Cryptography (SGC), if the Microsoft IIS server is configured with an SGC certificate, export clients that receive the certificate renegotiate to use128-bit encryption.
Import a global site certificate
To import a global site certificate, first export the certificate and server key from the Web server. Global site certificates are generally exported in some binary format, therefore, before importing the global site certificate, convert the certificate and key to the PEM format.
To import a global site certificate
Using a text editor, copy the server certificate and the accompanying intermediate-CA certificate into two separate files.
The individual PEM encoded certificate will begin with the header
----- BEGIN CERTIFICATE-----and end with the trailer
Use an SFTP client to transfer the server certificate, intermediate-CA certificate, and server-key to the Citrix ADC appliance.
Use the following OpenSSL command to identify the server certificate and intermediate-CA certificate from the two separate files.
Note: You can launch the OpenSSL interface from the configuration utility. In the navigation pane, click SSL. In the details pane, under Tools, click Open SSL interface.
openssl x509 -in >path of the CA cert file< text X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA openssl x509 -in >path of the server certificate file< -text X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server
At the FreeBSD shell prompt, enter the following command:
openssl x509 -in cert.pem -text | more
Where cert.pem is one of the two certificate files.
Read the Subject field in the command output. For example,
Subject: C=US, ST=Oregon, L=Portland, O=mycompany, Inc., OU=IT, CN=www.mycompany.com
If the CN field in the Subject matches the domain-name of your Web site, then this is the server certificate and the other certificate is the accompanying intermediate-CA certificate.
Use the server certificate and its private key) to create a certificate key pair on the Citrix ADC appliance. For details on creating a certificate-key pair on the Citrix ADC, see Add a certificate key pair.
Add the intermediate-CA certificate on the Citrix ADC appliance. Use the server certificate you created in step 4 to sign this intermediate certificate. For details on creating an Intermediate-CA certificate on the Citrix ADC, see Generate a test certificate.