Skip to main content

As security is paramount for most organizations, consider signing your App Layering appliance with either a public or internal certificate. A public certificate is issued by a trusted third-party Certificate Authority (CA) and is typically used for public-facing services. On the other hand, an internal certificate is issued by your organization’s internal CA and used for internal services. By default, the App Layering appliance will allow administrators to create a self-signed certificate. This may be fine with many organizations; however, it is recommended that a trusted certificate be installed. In a recent engagement, the internal security team had a policy to mark self-signed certificates as non-compliant, and thus, it was necessary to get an internally signed certificate for the App Layering appliance.

Before going into detailed steps, let us review the certificate requirements for the App Layering.

  • It must be a Privacy Enhanced Mail (PEM) certificate.
  • It must include both the certificate and the key.
  • It does not include a passphrase.

Securing Citrix App Layering Appliance with Trusted Certificates Using Command Line Interface (CLI)

As the appliance is CentOS Linux-based, OpenSSL commands are used.
The first step is to create a new private key.

openssl genrsa -out AppLayering_privkey.key 2048

Next, create a CSR.

openssl req -new -newkey rsa:2048 -nodes -out AppLayering.csr -keyout AppLayering_privkey.key -subj "/C=CA/ST=State/L=City/O=Company/OU=IT/CN=AppLayering.Company.com"

As the CSR is created, copy the file to a location where it can be accessed and used in the next step. There are several tools available; WinSCP was used in this case.

The following step depends on whether an internal or public certificate was requested. For this blog, the steps for internally signed certificates will be used.

As the CSR is created, copy the file to a location where it can be accessed and used in the next step. There are several tools available; WinSCP was used in this case.
The following step depends on whether an internal or public certificate was requested. For this blog, the steps for internally signed certificates will be used.

Go to your certificate authority and obtain a DER certificate. Make sure to select Web Server as a Certificate template.

Once the certificate is obtained (publicly or privately signed), it has to be copied back to the appliance to be converted from DER to PEM using OpenSSL.

openssl x509 -inform der -outform pem in /root/AppLayering.cer -out /root/AppLayering_public.pem

The PEM certificate has to have both the private key and the certificate, so let’s combine them on the appliance.

cat /root/AppLayering_privkey.key /root/AppLayering_public.pem > AppLayering.pem

Now that the PEM certificate has been obtained, it is ready to be imported to the App Layering appliance. Transfer the certificate to an accessible location and import it to the App Layering following the steps outlined in the System Settings article.

Securing Citrix App Layering Appliance with Trusted Certificates Using DigiCert Utility

Admins who are more comfortable using GUI can download and install the DigiCert utility for CSR creation. The DigiCert utility can be downloaded from the  DigiCert Certificate Utility for Windows | DigiCert.com link.

The first step is to generate CSR using the utility, as shown in the following picture.

Save your CSR and go to your certificate authority to obtain the DER certificate. Select the Web Server as a Certificate template. This is the same step as in the previous method.
Once the certificate is obtained, open the DigiCert utility, click Import, navigate to the location of the certificate file, and click Next.

The following screen will show certificate details. Enter the friendly name and click Finish.

Once the certificate is imported into the DigiCert utility, click Test Key to verify that the private key passes the test.

Once the private key passes the test, click on Export Certificate.

Export the certificate as a key file, as shown in the image below.

Copy the Base64 certificate and the private key to the appliance. Make sure to rename the certificate from p7b to PEM.

The PEM certificate must have both the private key and the certificate, so let’s combine them on the appliance. Use the following command to combine the private key and the certificate.

cat /root/ AppLayering_ferroquesystems_com.key /root/ certnew.pem > AppLayering.pem

Securing App Layering Agent with Trusted Certificate

Now that the appliance is secured with the trusted certificate, the agent’s self-signed certificate may need to be updated. As the self-signed certificates are deemed non-compliant, clients may request that they be updated.

As with the appliance, a certificate will need to be assigned to the machines with App Layering agent installed. As this is, in most cases, the Windows system can request a certificate through the Certificate Management console or the DigiCert utility. Regardless of the method, the trusted certificate is needed on the machine with an agent installed.

Once the trusted certificate is obtained, it must be added to the local computer certificate store (Personal).

To assign a trusted certificate to the agent, the existing binding of the self-signed UnideskAgent (certificate name within the local computer certificate store) certificate must be removed.

netsh http delete urlacl https://+:8016/
netsh http delete sslcert ipport=0.0.0.0:8016

Once the self-signed certificate is removed, bind the newly obtained trusted certificate.

netsh http add urlacl https://+:8016/ user="Everyone"
netsh http add sslcert ipport=0.0.0.0:8016 certhash=HashOfCertInComputerMyStoreAsHex appid={bf28cef2-7642-4294-b3d3-a68c2e971031}

In Conclusion…

Securing communication between entities in the environment using self-signed certificates may be sufficient for some companies, but if a requirement is to use trusted certificates for securing communication between an App Layering appliance and an App Layering agent, this article shows how to configure, install, and bind the trusted certificates on the appliance and the agent.

  • Zeljko Macanovic
    Zeljko Macanovic

    Zeljko is Ferroque’s Chief Architect and a leading expert in Citrix technologies, boasting over three decades of experience with Citrix and Microsoft platforms. His contributions at Citrix include serving on the CCAT board and enhancing Citrix Consulting standards and methodologies.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.