Product Documentation

Creating a New Signing Certificate

Feb 07, 2011

The Single Sign-on Service generates event log alerts just prior to and upon signing certificate expiration. Create a new certificate to stop event log alerts. Use CtxCreateSigningCert.exe to create a new certificate. Use the Data Signing Tool, CtxSignData.exe, to sign the data (using keys supplied by the new certificate) in your central store.

You do not need to create a new signing certificate after you first configure the Single Sign-on Service unless one of the following statements is true:
  • Your signing certificate is about to expire or has expired
  • You believe your signing certificate is compromised

To create a new certificate, you must run CtxCreateSigningCert.exe, available from the %ProgramFiles%\Citrix\MetaFrame Single Sign-on\Service folder. At a command prompt of the computer running the Single Sign-on Service, type CtxCreateSigningCert.exe.

Enter the public key file name, the private key file name, and the time, in months, before the signing certificate expires. The new certificate is created.

Usage: CtxCreateSigningCert <name_of_public_cert> <name_of_private_cert> <expiration_period_in_months>
Where: <name_of_public_cert> = File name to use for the public certificate

<name_of_private_cert> = File name to use for the private certificate

<expiration_period_in_months> = Number of months before the certificate expires

ctxcreatesigningcert “C:\PublicKeyCert.cert” “C:\PrivateKeyCert.cert” “12”