Skip to main content

Renewing the Citrix RA certificate

Renew the long-lived RA certificate before it expires to avoid sign on and authentication issues for Citrix FAS users.

Notice

Supply a valid email address in the Email configuration and notifications section of the RA certificate profile in DigiCert​​®​​ Trust Lifecycle Manager to receive renewal notifications at that email address.

Before you begin

  • For RA certificate renewal instructions from Citrix, see here.

  • If there is only one Citrix FAS server, logged-on users might have authentication issues during the renewal process. For information about configuring Citrix FAS for high availability, see here.

  • Use the Citrix cmdlet Get-FasAuthorizationCertificate as shown below to get the GUID of the current RA certificate. You need the GUID to delete the expiring RA certificate post-renewal.

    > $CitrixFasAddress=(Get-FasServer)[0].Address
    > Get-FasAuthorizationCertificate

1. Generate the CSR

Follow the same procedure used to generate the initial CSR for the RA certificate. To review this procedure, see here.

Copy the Id and CertificateRequest values from the CSR generation response to use to request and import the new RA certificate.

2. Renew the RA certificate via the Trust Lifecycle Manager REST API

Use the Trust Lifecycle Manager certificate/{serial_number}/renew REST API endpoint to renew the RA certificate:

  • This endpoint is part of the Inventory API controller. Read the documentation by selecting Resources > API reference from the Trust Lifecycle Manager main menu.

  • Replace the {serial_number} in the API endpoint path with the value of the RA certificate's serial number. You can find the serial number by selecting the RA certificate from the Inventory view in Trust Lifecycle Manager.

    citrix_fas_ra_cert_serialno.png

    Example: Viewing the certificate details in Trust Lifecycle Manager

Send the following values in the JSON request body to renew the certificate:

  • csr: Send the value of the CertificateRequest field returned by the Citrix New-FasAuthorizationCertificateRequest cmdlet when generating the CSR. Remove the header, footer, and line feeds. Send only the raw Base64-encoded data.

  • delivery_format: Specify as PKCS7.

Below is an example Trust Lifecycle Manager REST API request and response for renewing the Citrix RA certificate:

To use the returned Citrix RA certificate, copy the value of the certificate field in the response into a file. Remove the quotes and replace the line feed characters ("\n") with actual line feeds in the file. For an example of how the certificate file should look, see here.

At this point, the RA certificate is stored in PEM format. You need to convert it to DER format before importing into Citrix FAS.

The following example shows how to use the openssl command-line tool to convert a PEM certificate file called ra_cert.p7 into DER format and output to a new file called ra_cert_final.p7b:

openssl pkcs7 -in ra_cert.p7 -out ra_cert_final.p7b -outform der

3. Put the Citrix FAS server into maintenance mode

Before importing the new RA certificate, enter the following Citrix cmdlet in Windows PowerShell to put the Citrix FAS server into maintenance mode:

Set-FasServer -Address <FAS server host> -MaintenanceMode $true

For example:

PS C:\Users\Administrator> Set-FasServer -Address localhost -MaintenanceMode $true

4. Import the new RA certificate into Citrix FAS

Enter the following Citrix cmdlet in Windows PowerShell to import the RA certificate file in DER (p7b) format into Citrix FAS:

Import-FasAuthorizationCertificateResponse -address <FAS server host> -Id <Id from CSR generate> -Pkcs7CertificateFile <path to p7b file>

Make sure the Id value you enter matches the one from the CSR generation response. For example:

PS C:\Users\Administrator\Desktop> Import-FasAuthorizationCertificateResponse -address localhost -Id 0a2bb7f7-8427-4977-8352-cd8b8f5edb95 -Pkcs7CertificateFile .\ra_cert_final.p7b


Id                 : 0a2bb7f7-8427-4977-8352-cd8b8f5edb95
Address            : [Offline CSR]
TrustArea          : f25fd53b-6ef3-4fea-87b4-c08b06e73e0f
CertificateRequest :
Status             : Ok

5. Swap the RA certificate in Citrix FAS

Enter the following Citrix cmdlet in Windows PowerShell to swap in the new RA certificate in Citrix FAS:

Set-FasCertificateDefinition -Address <FAS server host> -Name <rule name>_definition –AuthorizationCertificate <ID from CSR generate>

Make sure the value you enter for the AuthorizationCertificate field matches the Id value from the CSR generation response. For example:

PS C:\Users\Administrator\Desktop> Set-FasCertificateDefinition -Address localhost -Name default_definition –AuthorizationCertificate 0a2bb7f7-8427-4977-8352-cd8b8f5edb95

6. Turn off Citrix FAS maintenance mode

Enter the following Citrix cmdlet in Windows PowerShell to take the Citrix FAS server out of maintenance mode:

Set-FasServer –Address <FAS server> -MaintenanceMode $false

For example:

PS C:\Users\Administrator> Set-FasServer –Address localhost -MaintenanceMode $false

7. Delete the old RA certificate

Enter the following Citrix cmdlet in Windows PowerShell to delete the old RA certificate:

Remove-FasAuthorizationCertificate -Address <FAS server host> -Id <Id of old RA cert>

For the Id value, enter the GUID of the old (expiring) RA certificate. For example:

PS C:\Users\Administrator\Desktop> Remove-FasAuthorizationCertificate -Address localhost -Id 497cd087-0970-4dbd-81f7-bbdc6b96961a

What's next

Users can start signing on and authenticating with Citrix FAS again with the new RA certificate in place. The next time the RA certificate nears expiration, follow the same procedure to renew it again.