Test the Citrix FAS integration
To test for successful integration of Citrix FAS with DigiCert® Trust Lifecycle Manager, you can use the Citrix command-line tools to try pre-generating user certificates.
Pre-generate user certificates
Enter the following Citrix cmdlet in Windows PowerShell to try pre-generating a user certificate through Citrix FAS:
New-FasUserCertificate -Address <FAS server host> -UserPrincipalName <UPN of End User> -CertificateDefinition <rule name>_definition -rule <rule name>
For example:
PS C:\Users\Administrator> New-FasUserCertificate -Address localhost -UserPrincipalName user1@ws2016.pkidev.bbtest.net -CertificateDefinition default_definition -rule default
Success case
If the Citrix FAS integration is working as expected, the response to the user certificate pre-generation command should look like:
PS C:\Users\Administrator\Desktop> New-FasUserCertificate -Address localhost -UserPrincipalName user1@ws2016.pkidev.bbte st.net -CertificateDefinition default_definition -rule default ThumbPrint : 1F975D2CD792DCBD49E93DDA728F712467ED6ECA UserPrincipalName : user1@ws2016.pkidev.bbtest.net Role : default CertificateDefinition : default_definition SecurityContext : ExpiryDate : 11/22/YYYY 11:50:54 PM Certificate : -----BEGIN CERTIFICATE----- MIIFfjCCBDKgAwIBAgIUA6en6bgUKCj7mb1d7jJoow7yiF8wQQYJKoZIhvcNAQEKMDSgDzANBglg hkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAMIGiMQswCQYDVQQG EwJKUDETMBEGA1UECBMKS2FnYXdhLWtlbjEVMBMGA1UEBxMMS2F3YXNha2ktc2hpMREwDwYDVQQR EwgyMTItMDAxMzEmMCQGA1UECRMdU2Fpd2Fpa3UsIEhvcmlrYXdhLWNobyA1ODAtMTYxFTATBgNV BAoTDFRlc3QgQWNjb3VudDEVMBMGA1UEAxMMSUNBIFJTQSAyMDQ4MB4XDTIzMTExNzA3NTA1NFoX DTIzMTExODA3NTA1NFowFTETMBEGA1UEAwwKVXNlcjEgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAJrLrIqIVYLUQdPtYJmCMiiM6AZ0Ka1r1YHaZFYiReQfkADEtBJEzkvBZdWP XWiCiRslj5lt8b/3n5/fZHdtgVl6IJOQH7XXu2jAXHDiIHFIpKLtCZ/JqOVwuVb/Xerii8qqflMv mtMAjIdG3NSucgj92xynXFbcPEaDNCwOlUxbWSBERgTJ33cBIxMpLZk47aVIBNF+UezWMNZhTQhi uWQcPA0us1/g5b3Z2/PvBIZ8rDmfOwh4skQbM/nK0x5vAioSoYg2WrYG7wAuabhkVxyyiy97jQRZ Egf4WGNBCnRK/UxI5GLb13iPTTF1KCqGWA/IdQTLdtlBepiw6luhQjECAwEAAaOCAc4wggHKMAwG A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF2P17Fyd/ejjrXXJHsWtcav/bWJMB8GA1UdIwQYMBaAFBac YEXWbdTvTvNAHppInR1IwJzXMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSUEGDAWBggrBgEFBQcDAgYK KwYBBAGCNxQCAjApBgkrBgEEAYI3FQoEHDAaMAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwOQYD VR0RBDIwMKAuBgorBgEEAYI3FAIDoCAMHnVzZXIxQHdzMjAxNi5wa2lkZXYuYmJ0ZXN0Lm5ldDB2 BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLmRjb25lLmNsdXN0ZXIubG9j YWwwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuZGNvbmUuY2x1c3Rlci5sb2NhbC9JQ0FSU0EyMDQ4 LmNydDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmRjb25lLmNsdXN0ZXIubG9jYWwvSUNB UlNBMjA0OC5jcmwwKwYJKwYBBAGCNxUHBB4wHAYUYIZIAYb9bCcBAQGTkvvOt8SEsSMCAWQCAQEw QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME AgMFAKIDAgFAA4IBAQA9vQp6edm6VpOGh0fbOqzucMWNS26ZOs/iEyTuNvFX7v0V7oJBv0HYYUxP DKUDSug+3mMnAwUN1OqNZ6sAi8hvE5qLQee7Y74wCvZR4qMEqWJSKF8hRyqw8cRyd1MZ72qB4MSo judmh49LY7k5zVTelVtREtA6vgE2dLO3+FL5S91O++I7SWuMq/HHhj1yKAa/LqNdIDg3n6GlVNoI 7TqaZUS7IJq2Sp+pO6D7SJrT10YbDD6p/HwB/0gTYT1f38IQ37FBUUPqSwNqpSM5s4W8uNI3HaZM 6mcwIjIt2SjIIcspp7688G+dwoY0ex9hT8V4GI+ce9eT4l+e0cNToCmO -----END CERTIFICATE-----
To check the current user certificates in Citrix FAS, enter the following commands in Windows PowerShell (requires proper configuration of the group policy as described here):
> $CitrixFasAddress=(Get-FasServer)[0].Address > Get-FasUserCertificate
For example:
PS C:\Users\Administrator\Desktop> $CitrixFasAddress=(Get-FasServer)[0].Address PS C:\Users\Administrator\Desktop> Get-FasUserCertificate ThumbPrint : 1F975D2CD792DCBD49E93DDA728F712467ED6ECA UserPrincipalName : user1@ws2016.pkidev.bbtest.net Role : default CertificateDefinition : default_definition SecurityContext : ExpiryDate : 11/17/2023 11:50:54 PM Certificate : -----BEGIN CERTIFICATE----- MIIFfjCCBDKgAwIBAgIUA6en6bgUKCj7mb1d7jJoow7yiF8wQQYJKoZIhvcNAQEKMDSgDzANBglg hkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAMIGiMQswCQYDVQQG EwJKUDETMBEGA1UECBMKS2FnYXdhLWtlbjEVMBMGA1UEBxMMS2F3YXNha2ktc2hpMREwDwYDVQQR EwgyMTItMDAxMzEmMCQGA1UECRMdU2Fpd2Fpa3UsIEhvcmlrYXdhLWNobyA1ODAtMTYxFTATBgNV BAoTDFRlc3QgQWNjb3VudDEVMBMGA1UEAxMMSUNBIFJTQSAyMDQ4MB4XDTIzMTExNzA3NTA1NFoX DTIzMTExODA3NTA1NFowFTETMBEGA1UEAwwKVXNlcjEgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAJrLrIqIVYLUQdPtYJmCMiiM6AZ0Ka1r1YHaZFYiReQfkADEtBJEzkvBZdWP XWiCiRslj5lt8b/3n5/fZHdtgVl6IJOQH7XXu2jAXHDiIHFIpKLtCZ/JqOVwuVb/Xerii8qqflMv mtMAjIdG3NSucgj92xynXFbcPEaDNCwOlUxbWSBERgTJ33cBIxMpLZk47aVIBNF+UezWMNZhTQhi uWQcPA0us1/g5b3Z2/PvBIZ8rDmfOwh4skQbM/nK0x5vAioSoYg2WrYG7wAuabhkVxyyiy97jQRZ Egf4WGNBCnRK/UxI5GLb13iPTTF1KCqGWA/IdQTLdtlBepiw6luhQjECAwEAAaOCAc4wggHKMAwG A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF2P17Fyd/ejjrXXJHsWtcav/bWJMB8GA1UdIwQYMBaAFBac YEXWbdTvTvNAHppInR1IwJzXMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSUEGDAWBggrBgEFBQcDAgYK KwYBBAGCNxQCAjApBgkrBgEEAYI3FQoEHDAaMAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwOQYD VR0RBDIwMKAuBgorBgEEAYI3FAIDoCAMHnVzZXIxQHdzMjAxNi5wa2lkZXYuYmJ0ZXN0Lm5ldDB2 BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLmRjb25lLmNsdXN0ZXIubG9j YWwwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuZGNvbmUuY2x1c3Rlci5sb2NhbC9JQ0FSU0EyMDQ4 LmNydDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmRjb25lLmNsdXN0ZXIubG9jYWwvSUNB UlNBMjA0OC5jcmwwKwYJKwYBBAGCNxUHBB4wHAYUYIZIAYb9bCcBAQGTkvvOt8SEsSMCAWQCAQEw QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME AgMFAKIDAgFAA4IBAQA9vQp6edm6VpOGh0fbOqzucMWNS26ZOs/iEyTuNvFX7v0V7oJBv0HYYUxP DKUDSug+3mMnAwUN1OqNZ6sAi8hvE5qLQee7Y74wCvZR4qMEqWJSKF8hRyqw8cRyd1MZ72qB4MSo judmh49LY7k5zVTelVtREtA6vgE2dLO3+FL5S91O++I7SWuMq/HHhj1yKAa/LqNdIDg3n6GlVNoI 7TqaZUS7IJq2Sp+pO6D7SJrT10YbDD6p/HwB/0gTYT1f38IQ37FBUUPqSwNqpSM5s4W8uNI3HaZM 6mcwIjIt2SjIIcspp7688G+dwoY0ex9hT8V4GI+ce9eT4l+e0cNToCmO -----END CERTIFICATE-----
Error case
If there is no response from the Citrix cmdlet to pre-generate the user certificate, it indicates a problem with the Citrix FAS integration.
Check the Windows Event Viewer to see if it shows any errors. For example:
The complete error message for event ID number 123 above is:
[S123] Failed to issue a certificate for [upn: user1@ws2016.pkidev.bbtest.net role: default] [exception: The CSR failed at all configured certificate authorities] [correlation: a07c7310-cd1a-4fb4-b2ad-ff9596e8d6e0]
Check the DigiCert Autoenrollment Server (AES) logs for more details about a possible cause of any errors. To learn more about the AES logs, see Log properties configuration options.
Contact DigiCert Support if you need additional help.
What's next
After verifying the integration is working, users can start signing on and authenticating through Citrix FAS. They will get certificates from DigiCert Autoenrollment Server and you can monitor and manage the certificates in DigiCert® Trust Lifecycle Manager.
To avoid outages, make sure to renew the Citrix RA certificate as it approaches expiration.