Renewing the Citrix RA certificate
Renew the long-lived RA certificate before it expires to avoid sign on and authentication issues for Citrix FAS users.
Notice
Supply a valid email address in the Email configuration and notifications section of the RA certificate profile in DigiCert® Trust Lifecycle Manager to receive renewal notifications at that email address.
Before you begin
For RA certificate renewal instructions from Citrix, see here.
If there is only one Citrix FAS server, logged-on users might have authentication issues during the renewal process. For information about configuring Citrix FAS for high availability, see here.
Use the Citrix cmdlet
Get-FasAuthorizationCertificate
as shown below to get the GUID of the current RA certificate. You need the GUID to delete the expiring RA certificate post-renewal.> $CitrixFasAddress=(Get-FasServer)[0].Address > Get-FasAuthorizationCertificate
1. Generate the CSR
Follow the same procedure used to generate the initial CSR for the RA certificate. To review this procedure, see here.
Copy the Id
and CertificateRequest
values from the CSR generation response to use to request and import the new RA certificate.
2. Renew the RA certificate via the Trust Lifecycle Manager REST API
Use the Trust Lifecycle Manager certificate/{serial_number}/renew
REST API endpoint to renew the RA certificate:
This endpoint is part of the Inventory API controller. Read the documentation by selecting Resources > API reference from the Trust Lifecycle Manager main menu.
Replace the
{serial_number}
in the API endpoint path with the value of the RA certificate's serial number. You can find the serial number by selecting the RA certificate from the Inventory view in Trust Lifecycle Manager.
Send the following values in the JSON request body to renew the certificate:
csr
: Send the value of theCertificateRequest
field returned by the CitrixNew-FasAuthorizationCertificateRequest
cmdlet when generating the CSR. Remove the header, footer, and line feeds. Send only the raw Base64-encoded data.delivery_format
: Specify asPKCS7
.
Below is an example Trust Lifecycle Manager REST API request and response for renewing the Citrix RA certificate:
To use the returned Citrix RA certificate, copy the value of the certificate
field in the response into a file. Remove the quotes and replace the line feed characters ("\n") with actual line feeds in the file. For an example of how the certificate file should look, see here.
At this point, the RA certificate is stored in PEM format. You need to convert it to DER format before importing into Citrix FAS.
The following example shows how to use the openssl
command-line tool to convert a PEM certificate file called ra_cert.p7 into DER format and output to a new file called ra_cert_final.p7b:
openssl pkcs7 -in ra_cert.p7 -out ra_cert_final.p7b -outform der
3. Put the Citrix FAS server into maintenance mode
Before importing the new RA certificate, enter the following Citrix cmdlet in Windows PowerShell to put the Citrix FAS server into maintenance mode:
Set-FasServer -Address <FAS server host> -MaintenanceMode $true
For example:
PS C:\Users\Administrator> Set-FasServer -Address localhost -MaintenanceMode $true
4. Import the new RA certificate into Citrix FAS
Enter the following Citrix cmdlet in Windows PowerShell to import the RA certificate file in DER (p7b) format into Citrix FAS:
Import-FasAuthorizationCertificateResponse -address <FAS server host> -Id <Id from CSR generate> -Pkcs7CertificateFile <path to p7b file>
Make sure the Id
value you enter matches the one from the CSR generation response. For example:
PS C:\Users\Administrator\Desktop> Import-FasAuthorizationCertificateResponse -address localhost -Id 0a2bb7f7-8427-4977-8352-cd8b8f5edb95 -Pkcs7CertificateFile .\ra_cert_final.p7b Id : 0a2bb7f7-8427-4977-8352-cd8b8f5edb95 Address : [Offline CSR] TrustArea : f25fd53b-6ef3-4fea-87b4-c08b06e73e0f CertificateRequest : Status : Ok
5. Swap the RA certificate in Citrix FAS
Enter the following Citrix cmdlet in Windows PowerShell to swap in the new RA certificate in Citrix FAS:
Set-FasCertificateDefinition -Address <FAS server host> -Name <rule name>_definition –AuthorizationCertificate <ID from CSR generate>
Make sure the value you enter for the AuthorizationCertificate
field matches the Id
value from the CSR generation response. For example:
PS C:\Users\Administrator\Desktop> Set-FasCertificateDefinition -Address localhost -Name default_definition –AuthorizationCertificate 0a2bb7f7-8427-4977-8352-cd8b8f5edb95
6. Turn off Citrix FAS maintenance mode
Enter the following Citrix cmdlet in Windows PowerShell to take the Citrix FAS server out of maintenance mode:
Set-FasServer –Address <FAS server> -MaintenanceMode $false
For example:
PS C:\Users\Administrator> Set-FasServer –Address localhost -MaintenanceMode $false
7. Delete the old RA certificate
Enter the following Citrix cmdlet in Windows PowerShell to delete the old RA certificate:
Remove-FasAuthorizationCertificate -Address <FAS server host> -Id <Id of old RA cert>
For the Id
value, enter the GUID of the old (expiring) RA certificate. For example:
PS C:\Users\Administrator\Desktop> Remove-FasAuthorizationCertificate -Address localhost -Id 497cd087-0970-4dbd-81f7-bbdc6b96961a
What's next
Users can start signing on and authenticating with Citrix FAS again with the new RA certificate in place. The next time the RA certificate nears expiration, follow the same procedure to renew it again.