Use the re-sign command-line parameter when the existing signing
certificate is nearing expiration, has expired, or is compromised. You must
supply the new signing certificate file name, the Single Sign-on Service URI,
the location of the central store, and central store type (NTFS network share
or Active Directory). All data is read and verified and then signed using the
new certificate. No setting changes are necessary in the console or plug-in
software because they already have data integrity enabled.
Use the following steps to re-sign corrupt data:
- Open the Single Sign-on
component of the Citrix AppCenter and locate the user configuration that is
- Open the user
configuration to verify the data can be read from the central store.
- Close the user
configuration to save new corruption-free data in the central store.
- Use the signing tool
(ctxsigndata) to re-sign the data in the central store.
Note: If the corruption appears to be caused by a security breach,
perform this procedure for all user configurations before re-signing the data
to avoid inadvertently signing unsecured data.
The syntax for the CtxSignData command with the -r parameter is:
CtxSignData [-r service_path certificate_file centralstore_location NTFS|AD]
||Re-signs data files in the central store
||Indicates the Single Sign-on Service path in
||Indicates the filename of the certificate to
use for signing or re-signing data
||Indicates the Universal Naming Convention
(UNC) path to the location of the file share or Domain Name System (DNS) of the
Active Directory domain controller
NTFS|AD = Central store network directory service type,
- NTFS = Microsoft
NTFS file share
- AD = Microsoft
The following are examples of the CtxSignData command with the -r
ctxsigndata -r “mpmserver.mycompany.com/MPMService” “C:\priv12mos.cert” “\\MPMCentralServer\citrixsync$” NTFS
ctxsigndata -r mpmserver.mycompany.com/MPMService “C:\priv3mos.cert” DC1.mycompany.com AD