Using a Startcom [...]]]> For a very low cost, it’s easy to use StartSSL (Startcom) certificates on the Citrix NetScaler product line. This is includes the free NetScaler VPX Express edition. A lot of problems I see with others configuring the NetScaler is related to either self-signed certificates or the use of intermediate (e.g., chained) certificates.

Using a Startcom certificate allows for a trusted CA (no certificate errors) and the NetScaler makes it easy to configure intermediate certificates. We’ll go through the entire process of creating a certificate usable on the NetScaler. The process is also the same for any chained certificate.

The Objective

We want to secure a connection to virtual server on the NetScaler using SSL for a low cost (free for a 30 day certificate or USD$50 for a two-year certificate). Specifically:

• Low-cost certificate (or certificates)
• Valid for all major browsers or servers that will connect to the NetScaler
• Imported and bound to a NetScaler Access Gateway Virtual Server

The Environment

NetScaler VPX Express with the following configuration:

• Version 9.2 (9.1 or previous versions should work, maybe with changes to the GUI)
• NetScaler IP (NIP) and Mapped IP (MIP) already configured
• Commands via GUI
• Usable IP address for a virtual server (to test)
• Administrative access (nsroot) to the NetScaler

Other required items:

• A valid public domain (required for Startcom certificate issuance)
• Workstation or server with OpenSSL tools loaded
• Startcom account (class 1 or class 2, meaning you have a client certificate)

Create the Certificate

Prior to any NetScaler configurations, we’ll first create the certificate and prep the files for the NetScaler. This include the private key, signing request, then downloading the certificate and the certificate chain (intermediate and root certificates). You can do these same steps from the NetScaler GUI, but I’ve always found having the OpenSSL toolkit around to be consistent across platforms and useful for troubleshooting problems.

Private Key and Certificate Signing Request (CSR)

First create a private key of suitable size (I’m using an URL from my domain as an example):

D:\Temp>openssl genrsa -out test.gavinadams.org.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................+++
.................+++
e is 65537 (0x10001)

Then create the certificate signing request (CSR):

D:\Temp>openssl req -new -key test.gavinadams.org.key -out test.gavinadams.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:GA
Locality Name (eg, city) []:Cumming
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Not used by Startcom
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:test.gavinadams.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D:\Temp>ls test*
test.gavinadams.org.csr  test.gavinadams.org.key

A couple things to note:

• Organizational name is not used. Common name is not used. Actually, everything but the private key signing portion is thrown out when submitting the request to StartCom. I enter them for consistency though.
• There is no password on the private key or CSR, so be careful and protect that key!

Create the Certificate

Login into the control panel at StartSSL and then go to the StartSSL PKI page. Use the Certificates Wizard to start the process. At different points you will need to copy and paste the contents of the local .csr file and enter the URL for the common name field.

To keep this short I’ll skip all the steps on the StartCom website and jump the end steps (email me if you’d like a tutorial on managing StartSSL certificates):

Select all and copy the contents to a local text editor and save with the .key file (test.gavinadams.org.crt in this example). You can delete the CSR file at this point.

Download Startcom CA Certificates

Now download the root and appropriate intermediate certificate. The root is the same for all certificates, but the intermediate will depend upon your class. In this example, it is a class 2 certificate, so I download the Class 2 Intermediate Server CA file.

Save the StartCom Root CA  file as startcom-ca.pem

Save the intermediate file as startcom-sub.class2.server.server.ca.pem

Install Certificates into the NetScaler

At this point we have the following files in a temporary directory (the .csr file is not needed but I normally keep them around until I complete housecleaning):

From the NetScaler configuration page, select SSL->Certificates, then Add… from the bottom. Use the GUI to upload the certificate and key along with the root and intermediate CA.

Enabling the notification period is optional. I rely upon my network monitoring to provide notice when a certificate is getting close to expiration.

For this and and the intermediate certificates there is no corresponding private key, so only populate the Certificate File Name field.

Finally, on the NetScaler GUI the SSL window should show the three certificates loaded, along with the default self-signed certificates of the NetScaler:

My CA names are different as this is on a box where they are already loaded, so note the names in the first column when we link the certificate together. Note the expiry date on the intermediate certificate. The intermediate certificates expire much sooner than the root CA. This is why I download the complete chain from StartCom each time I issue a new certificate. Any new intermediate certificates would need to be uploaded.

Link the Certificates

Probably the easiest part of the process. I reckon the linking process is simply combining the PEM formatted certificates into a single file. But the GUI makes it easy. First link the certificate we created to the intermediate by right-clicking on the certificate and selecting Link…

then select the intermediate certificate and press OK:

From the certificate window, select the intermediate certificate, right-click, and link to the Root CA:

Housekeeping

At this point we have the certificates and private key loaded in the NetScaler. Back everything up at this point! Before I got into the habit of creating a passphrase protected PKCS12 file, I may have misplaced the certificate, or exposed the unprotected key file. I now create a p12/pfx file with the certificate and key in it. Then it gets backup up to a protected site (Keepass or something similar). finally, the Keepass file gets uploaded to Dropbox and synced across my multiple workstations.

D:\Temp>openssl pkcs12 -export -in test.gavinadams.org.crt -inkey test.gavinadams.org.key -out test.gavinadams.org.p12
Enter Export Password:
Verifying - Enter Export Password:

D:\Temp>ls *p12
test.gavinadams.org.p12

This is important for Startcom issued certificates. I love the price for issuing certs: all you can eat for two years for USD$50 (class 2 validation), but if you lose the certificate, it’s a USD$25 charge to have it added to the CRL.

Access Gateway Test

Okay, the certificate has been created, all portions uploaded, and backed up for safe keeping. Now go to Access Gateway->Virtual Servers and select Add… from the bottom of the display:

Important parts are the Name, IP address, and certificate selected. If testing, choose an unused IP address and ensure a DNS or hosts file entry exists, then use a browser to hit the site (Firefox 3.6 used here):

You should get a validSSL lock from the log in page. This validates the NetScaler and the certificate is working fine. At this point you can remove the Access Gateway Virtual Server. The certificates are still on the NetScaler and can be bound to other items where SSL is used.

Summary

Hopefully not too long of a post. Briefly:

1. Create a Startcom web server certificate
2. Upload the certificate, private key and Startcom CA certs (root and intermediate) to the NetScaler
3. Link the certificates on the NetScaler and bind the web server certificate to a Access Gateway Virtual Server
4. Use a web browser to verify the SSL connection

By default, all the tutorials for installing XenDesktop use the defaults. This means that [...]]]> XenDesktop 4 has raised the bar for virtual desktop (VDI) solutions. It’s now easier to provide a virtual desktop to users on differing operation systems and platforms. And having Citrix on the iPhone / iPad is just amazing eye candy too.

By default, all the tutorials for installing XenDesktop use the defaults. This means that under Windows, using a browser to connect and launch a session from web interface uses the online plug-in module. It works, provides multi-monitor capability, but has display artifacts and no nifty bar to manage USB connection and such. Besides this client, the Desktop Viewer can also be used as the default (if installed).

With the 11.x and 12.0 clients it’s easy to change. First install the Citrix Online plug-in (not the Citrix Online plugin – web which is smaller and doesn’t include the Desktop client) from here. You’ll have to navigate to the OS X client, Citrix seems to change the URL for the downloads.

From the web interface server that services XenDesktop, browse to the conf directory and edit webinterface.conf. For example, /Citrix/WebDesktop2 is located here:

Edit the file and search for ShowDesktopViewer and change the line from:

# ShowDesktopViewer=Off

to the following:

ShowDesktopViewer=On

Next time a session is launched, the Desktop Viewer will be used instead of the online plugin. This doesn’t work under OS X as there really isn’t a better client than Desktop Viewer yet. Thanks to Richard Parmiter for documenting this!

Hint: To get mult-monitor under Desktop Viewer, re-size to something less than full screen, move the window over the two monitors and re-size to full screen. This setting will persist across sessions.