Citrite 239

Hopefully, when you originally requested the certificate for your Windows server, you enabled the "Mark keys as exportable" option. If not, you are out of luck here because the private key associated with your server certificate is now imprisoned on that Windows box. But assuming the private key is exportable, you should be able to view the certificate in the Certificates MMC snap-in and export it out to a file.

When you export the certificate, you'll be asked whether you want to export the private key as well, and prompted for a password to protect that private key. (This option is greyed out when the key is not exportable.)

This export process produces a file that has a .PFX extension. PFX is short for Personal inFormation eXchange. I'm not sure why Microsoft didn't just go ahead and use the .PIE extension here. I mean, everybody loves PIE, right?

The PFX file format is also known as a PKCS#12. It's a secure envelope that contains both the certificate (public key) and its corresponding private key in a single file. Guard these sorts of files carefully, because if they fall into the wrong hands, they can be used to impersonate your server on the Internet. That's why you are prompted for a password when the file is created--when you know the password you can install this certificate onto any other server.

Access Gateway expects certificates in PEM format, which is a Base64-encoded text file. Open up a DER-encoded certificate or a PFX file in Notepad and you will see jibberish because those are binary file formats. But a PEM-formatted certificate is readable and easy to send over e-mail, like this:

-----BEGIN CERTIFICATE-----
MIIEmjCCA4KgAwIBAgIQTDaDelcN1IRLlBVAefUrpDANBgkqhkiG9w0BAQUFADBK
MRMwEQYKCZImiZPyLGQBGRYDY3R4MRYwFAYKCZImiZPyLGQBGRYGZ2VtaW5pMRsw
GQYDVQQDExJDaXRyaXggaUZvcnVtIDIwMDQwHhcNMDQwNjIzMTk0NDI0WhcNMTQw
NjIzMTk1MzM1WjBKMRMwEQYKCZImiZPyLGQBGRYDY3R4MRYwFAYKCZImiZPyLGQB
aq1y91gz2NyED4EPtrDgfafweP/v9NH9irJfRtY0yoVxT1q4+ag0yfMx57uwzExc
w5qtU69C0kCN6AC8zse0zstEqbTIDPM2RdzWZWoDJ3fiuPKfXh2LAgMBAAGjggF6
b9DhbMjfUdyHOA8c8Ap6kGYhU4PLMHB+1g1b/8mEgeTt6PTEEVoKJBC026AmZLK3
UxF5XGYuoEJrLNty905/2f4W291M5YgtPSDaT7iLyKewtWfr3r3Sz83gTv3U+lIz
zck/rC4mYssb2Lv3ZAJL94/9aWfEQqUTGV5fKfmj
-----END CERTIFICATE-----

When you upload a certificate to Access Gateway, it expects it to be in this PEM format. AG also expects the private key to be in the PEM file as well, so a proper PEM file for AG 4.2 would look something like this:

Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: 8d790ff1becfddffad82a49ecf38a234_ef64343b-cae7-4db9-8025-eec430840df7
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDlgcfdWrkIbeRNPlaY2w4OFTMpLP6VLcu93C9y2NLaMtofuzbd
fMyWN9psFz0tiDDwGmooJ7IqdP5j6+biwjLrIIYhXGUI2ztuKVyoZk/Ud84ErtDj
h7UQKkleVNJUr5NLAurAoQpC+ne1yEWtZ+bbLVB6qHt5dHSGRXpNp+qj4Jb81suy
FPPgtvJ+41oAixgf638CQCatE/C3Qxq71zJD3+dWi2J61uTSvP+DBEugME+Tx72Z
KbsBRrKpFzkm2B4pAV11Vzy7kLAlZzDZbg6V6Ejm/qw=
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/C=US/ST=Florida/L=Fort Lauderdale/O=Citrix Systems/OU=Technical Support/CN=sg.company.com
issuer=/DC=ctx/DC=gemini/CN=Citrix iForum 2004
-----BEGIN CERTIFICATE-----
MIIF4zCCBMugAwIBAgIKGs+HbAAAAAAACTANBgkqhkiG9w0BAQUFADBKMRMwEQYK
CZImiZPyLGQBGRYDY3R4MRYwFAYKCZImiZPyLGQBGRYGZ2VtaW5pMRswGQYDVQQD
GlzdHJpYnV0aW9uUG9pbnSGRGh0dHA6Ly9mdGx2amF5MmszZGMuZ2VtaW5pLmN0
eC9DZXJ0RW5yb2xsL0NpdHJpeCUyMGlGb3J1bSUyMDIwMDQuY3JsMIIBMwYIKwYB
h4c3txEv377Xe7lmJgmzsxtcEzYD1NYuo1DHYQVSgwgK5sRbVChX2YMGGqsSvjDn
z3O7riHBusSPCchXN4BhN9D2OewfLA8DTxwqMtyw1RhkgSMMxyHyhaAwitFqOzy7
uouLXBUrNT5ApnX9fRoDBm+KMA0dJokV/fc60/am4ADa++pQpieMwRpTv8HU/68u
MCCZforD7JQCJr/IcFHpHMokCekpTgHGUeiWzV5ts9S1XtYefIZm+LFbK9HM2k3m
t99nsU0noAZA2vDlm3sNAlWZvHBw3Cs=
-----END CERTIFICATE-----

Access Gateway 4.2 and earlier require that you use certificates with an unencrypted private key. This will change in 4.5, where the encrypted private keys will be supported and encouraged. Netscaler expects PEM formatted certificates too, and supports the upload of password-protected private keys.

The AG Administrator's Guide advises you to use OpenSSL to convert your certificate into PEM format. Just find a UNIX system or find a Win32 port of OpenSSL, go out to a command prompt and type:

openssl pkcs12 -in cert.pfx -out newcert.pem -nodes

(BTW, that -nodes flag is not the plural of node, it means "no DES encryption".)

But that's a hassle. You don't want to spend all day at a command prompt cd'ing into the right directory and typing fully qualified file paths and such. So here's pfx2pem, a little Windows shell wrapper that will generate and execute the OpenSSL command for you:

Download pfx2pem.zip

To use pfx2pem, just drag and drop your PFX file onto the pfx2pem.wsf icon. It prompts you for the password and then spits out a PEM file right next to the original PFX file.

There are two versions of the tool included:

1. pfx2pem - generates a PEM file with an unencrypted private key. Use this for CAG 4.2.x and earlier.
2. pfx2pem-des - generates a PEM file with an encrypted private key. Use this for Netscaler and future versions of CAG.