Citrix NetScaler VPX and OCS 2007 R2 – Certificates

In the past few months it’s been a bit quiet on the posting front.  The major reason being Wave 14 (CS2010) is taking up a lot of my time and there isn’t a lot we’re allowed to show from our labs yet.  As the end of the year approaches, the public beta’s and/or release candidates hit the net, and the RTM comes out you can expect a lot more information from all of the UC bloggers, but for now we’ll stick with OCS 2007 R2.

My current lab is an OCS 2007 R2 environment with 2 Front End servers and a Citrix NetScaler virtual appliance (VPX) running as a load balancer.  I’m prepping the environment to simulate a migration from R2 to Wave 14 utilizing the document here (this is an RTM version, but it gives you the jist).  But as is usually the case, I found a gotcha on the certificate setup on the VPX, and thought it was worth sharing.  This particular gotcha even had the citrix support folks scratching their head.

To start off with, I have the following relevant servers in the environment:

KPDC1.msucguy.local – 172.16.5.101: DC, DNS, CA

KPOC1.msucguy.local – 172.16.5.102: OCS Front End

KPOC2.msucguy.local – 172.16.5.103: OCS Front END

Ocpool.msucguy.local – 172.16.4.252

The VIP for the OCS servers is 172.16.4.252 and resides on the load balancer.

After deploying the front end servers I was ready to setup the load balancer.  I started by exporting the root CA Cert from the trusted certificate authority as a .cer file and uploading it to the VPX.  Next, I exported the certificate I planned to use for the OCS VIP and Front Servers and followed the procedure here to convert it.  My pfx file was named “FrontEnd_Cert.pfx”, this is what the output of the commands looked like.

I uploaded the certificate to the VPX,(notice no “key filename”).

I then linked the cert to the CA cert I had imported earlier and tried to configure it for the OCS Virtual Server:

I received the error “Binding CerKeys:Certificate is not a server certificate”

After playing around this one for a while, and tapping a few friends with more experience with Citrix appliances (including a Citrix support engineer for this platform) I still couldn’t find a way to get the certificate to work.

At this point I started from the beginning with a brand new certificate request on KPOC1, this time using the offline request method so I could download the .cer file from the CA during the request.

 

 

I opened up the CA Web Enrollment webpage, generated the new cert and downloaded the .CER file

 

Next I processed the offline request in the OCS Certificate wizard and copied the .cer file downloaded in the last step to my workstation running the OPENSSL tool.  I also went into the Certificate snap-in and exported the .PFX version of the certificate from my Front End server and copied it to the other OCS Front End servers to be assigned, and my workstation to be converted.

Now, using the command line I first converted the .pfx file to a .pem, and then converted the .pem file to a .der.   

Once the conversions were completed I uploaded the .cer and the .der files to the VPX, making sure to choose the certificate format type of “der”.

Once the upload was complete I was able to assign the certificate to my OCS Virtual Servers and start load balancing.

 

 

There may be an easier way of doing this out there, but this is what worked for me.  If you happen to know a better way please feel free to email me via the contact page or post a comment. 

Hope this helps!

-kp

Advertisements

About Kevin Peters

My name is Kevin Peters.
This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s