Skip to main content

Test the Citrix FAS integration

To test for successful integration of Citrix FAS with DigiCert​​®​​ Trust Lifecycle Manager, you can use the Citrix command-line tools to try pre-generating user certificates.

Pre-generate user certificates

Enter the following Citrix cmdlet in Windows PowerShell to try pre-generating a user certificate through Citrix FAS:

New-FasUserCertificate -Address <FAS server host> -UserPrincipalName <UPN of End User> -CertificateDefinition <rule name>_definition -rule <rule name>

For example:

PS C:\Users\Administrator> New-FasUserCertificate -Address localhost -UserPrincipalName user1@ws2016.pkidev.bbtest.net -CertificateDefinition default_definition -rule default

Success case

If the Citrix FAS integration is working as expected, the response to the user certificate pre-generation command should look like:

PS C:\Users\Administrator\Desktop> New-FasUserCertificate -Address localhost -UserPrincipalName user1@ws2016.pkidev.bbte
st.net -CertificateDefinition default_definition -rule default


ThumbPrint            : 1F975D2CD792DCBD49E93DDA728F712467ED6ECA
UserPrincipalName     : user1@ws2016.pkidev.bbtest.net
Role                  : default
CertificateDefinition : default_definition
SecurityContext       :
ExpiryDate            : 11/22/YYYY 11:50:54 PM
Certificate           : -----BEGIN CERTIFICATE-----
                        MIIFfjCCBDKgAwIBAgIUA6en6bgUKCj7mb1d7jJoow7yiF8wQQYJKoZIhvcNAQEKMDSgDzANBglg
                        hkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAMIGiMQswCQYDVQQG
                        EwJKUDETMBEGA1UECBMKS2FnYXdhLWtlbjEVMBMGA1UEBxMMS2F3YXNha2ktc2hpMREwDwYDVQQR
                        EwgyMTItMDAxMzEmMCQGA1UECRMdU2Fpd2Fpa3UsIEhvcmlrYXdhLWNobyA1ODAtMTYxFTATBgNV
                        BAoTDFRlc3QgQWNjb3VudDEVMBMGA1UEAxMMSUNBIFJTQSAyMDQ4MB4XDTIzMTExNzA3NTA1NFoX
                        DTIzMTExODA3NTA1NFowFTETMBEGA1UEAwwKVXNlcjEgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
                        ggEPADCCAQoCggEBAJrLrIqIVYLUQdPtYJmCMiiM6AZ0Ka1r1YHaZFYiReQfkADEtBJEzkvBZdWP
                        XWiCiRslj5lt8b/3n5/fZHdtgVl6IJOQH7XXu2jAXHDiIHFIpKLtCZ/JqOVwuVb/Xerii8qqflMv
                        mtMAjIdG3NSucgj92xynXFbcPEaDNCwOlUxbWSBERgTJ33cBIxMpLZk47aVIBNF+UezWMNZhTQhi
                        uWQcPA0us1/g5b3Z2/PvBIZ8rDmfOwh4skQbM/nK0x5vAioSoYg2WrYG7wAuabhkVxyyiy97jQRZ
                        Egf4WGNBCnRK/UxI5GLb13iPTTF1KCqGWA/IdQTLdtlBepiw6luhQjECAwEAAaOCAc4wggHKMAwG
                        A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF2P17Fyd/ejjrXXJHsWtcav/bWJMB8GA1UdIwQYMBaAFBac
                        YEXWbdTvTvNAHppInR1IwJzXMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSUEGDAWBggrBgEFBQcDAgYK
                        KwYBBAGCNxQCAjApBgkrBgEEAYI3FQoEHDAaMAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwOQYD
                        VR0RBDIwMKAuBgorBgEEAYI3FAIDoCAMHnVzZXIxQHdzMjAxNi5wa2lkZXYuYmJ0ZXN0Lm5ldDB2
                        BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLmRjb25lLmNsdXN0ZXIubG9j
                        YWwwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuZGNvbmUuY2x1c3Rlci5sb2NhbC9JQ0FSU0EyMDQ4
                        LmNydDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmRjb25lLmNsdXN0ZXIubG9jYWwvSUNB
                        UlNBMjA0OC5jcmwwKwYJKwYBBAGCNxUHBB4wHAYUYIZIAYb9bCcBAQGTkvvOt8SEsSMCAWQCAQEw
                        QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME
                        AgMFAKIDAgFAA4IBAQA9vQp6edm6VpOGh0fbOqzucMWNS26ZOs/iEyTuNvFX7v0V7oJBv0HYYUxP
                        DKUDSug+3mMnAwUN1OqNZ6sAi8hvE5qLQee7Y74wCvZR4qMEqWJSKF8hRyqw8cRyd1MZ72qB4MSo
                        judmh49LY7k5zVTelVtREtA6vgE2dLO3+FL5S91O++I7SWuMq/HHhj1yKAa/LqNdIDg3n6GlVNoI
                        7TqaZUS7IJq2Sp+pO6D7SJrT10YbDD6p/HwB/0gTYT1f38IQ37FBUUPqSwNqpSM5s4W8uNI3HaZM
                        6mcwIjIt2SjIIcspp7688G+dwoY0ex9hT8V4GI+ce9eT4l+e0cNToCmO
                        -----END CERTIFICATE-----

To check the current user certificates in Citrix FAS, enter the following commands in Windows PowerShell (requires proper configuration of the group policy as described here):

> $CitrixFasAddress=(Get-FasServer)[0].Address
> Get-FasUserCertificate

For example:

PS C:\Users\Administrator\Desktop> $CitrixFasAddress=(Get-FasServer)[0].Address
PS C:\Users\Administrator\Desktop> Get-FasUserCertificate


ThumbPrint            : 1F975D2CD792DCBD49E93DDA728F712467ED6ECA
UserPrincipalName     : user1@ws2016.pkidev.bbtest.net
Role                  : default
CertificateDefinition : default_definition
SecurityContext       :
ExpiryDate            : 11/17/2023 11:50:54 PM
Certificate           : -----BEGIN CERTIFICATE-----
                        MIIFfjCCBDKgAwIBAgIUA6en6bgUKCj7mb1d7jJoow7yiF8wQQYJKoZIhvcNAQEKMDSgDzANBglg
                        hkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAMIGiMQswCQYDVQQG
                        EwJKUDETMBEGA1UECBMKS2FnYXdhLWtlbjEVMBMGA1UEBxMMS2F3YXNha2ktc2hpMREwDwYDVQQR
                        EwgyMTItMDAxMzEmMCQGA1UECRMdU2Fpd2Fpa3UsIEhvcmlrYXdhLWNobyA1ODAtMTYxFTATBgNV
                        BAoTDFRlc3QgQWNjb3VudDEVMBMGA1UEAxMMSUNBIFJTQSAyMDQ4MB4XDTIzMTExNzA3NTA1NFoX
                        DTIzMTExODA3NTA1NFowFTETMBEGA1UEAwwKVXNlcjEgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
                        ggEPADCCAQoCggEBAJrLrIqIVYLUQdPtYJmCMiiM6AZ0Ka1r1YHaZFYiReQfkADEtBJEzkvBZdWP
                        XWiCiRslj5lt8b/3n5/fZHdtgVl6IJOQH7XXu2jAXHDiIHFIpKLtCZ/JqOVwuVb/Xerii8qqflMv
                        mtMAjIdG3NSucgj92xynXFbcPEaDNCwOlUxbWSBERgTJ33cBIxMpLZk47aVIBNF+UezWMNZhTQhi
                        uWQcPA0us1/g5b3Z2/PvBIZ8rDmfOwh4skQbM/nK0x5vAioSoYg2WrYG7wAuabhkVxyyiy97jQRZ
                        Egf4WGNBCnRK/UxI5GLb13iPTTF1KCqGWA/IdQTLdtlBepiw6luhQjECAwEAAaOCAc4wggHKMAwG
                        A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF2P17Fyd/ejjrXXJHsWtcav/bWJMB8GA1UdIwQYMBaAFBac
                        YEXWbdTvTvNAHppInR1IwJzXMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSUEGDAWBggrBgEFBQcDAgYK
                        KwYBBAGCNxQCAjApBgkrBgEEAYI3FQoEHDAaMAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwOQYD
                        VR0RBDIwMKAuBgorBgEEAYI3FAIDoCAMHnVzZXIxQHdzMjAxNi5wa2lkZXYuYmJ0ZXN0Lm5ldDB2
                        BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLmRjb25lLmNsdXN0ZXIubG9j
                        YWwwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuZGNvbmUuY2x1c3Rlci5sb2NhbC9JQ0FSU0EyMDQ4
                        LmNydDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmRjb25lLmNsdXN0ZXIubG9jYWwvSUNB
                        UlNBMjA0OC5jcmwwKwYJKwYBBAGCNxUHBB4wHAYUYIZIAYb9bCcBAQGTkvvOt8SEsSMCAWQCAQEw
                        QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME
                        AgMFAKIDAgFAA4IBAQA9vQp6edm6VpOGh0fbOqzucMWNS26ZOs/iEyTuNvFX7v0V7oJBv0HYYUxP
                        DKUDSug+3mMnAwUN1OqNZ6sAi8hvE5qLQee7Y74wCvZR4qMEqWJSKF8hRyqw8cRyd1MZ72qB4MSo
                        judmh49LY7k5zVTelVtREtA6vgE2dLO3+FL5S91O++I7SWuMq/HHhj1yKAa/LqNdIDg3n6GlVNoI
                        7TqaZUS7IJq2Sp+pO6D7SJrT10YbDD6p/HwB/0gTYT1f38IQ37FBUUPqSwNqpSM5s4W8uNI3HaZM
                        6mcwIjIt2SjIIcspp7688G+dwoY0ex9hT8V4GI+ce9eT4l+e0cNToCmO
                        -----END CERTIFICATE-----

Error case

If there is no response from the Citrix cmdlet to pre-generate the user certificate, it indicates a problem with the Citrix FAS integration.

Check the Windows Event Viewer to see if it shows any errors. For example:

citrix_fas_integration_errors.png

The complete error message for event ID number 123 above is:

[S123] Failed to issue a certificate for [upn: user1@ws2016.pkidev.bbtest.net role: default] [exception: The CSR failed at all configured certificate authorities] [correlation: a07c7310-cd1a-4fb4-b2ad-ff9596e8d6e0]

Check the DigiCert Autoenrollment Server (AES) logs for more details about a possible cause of any errors. To learn more about the AES logs, see Log properties configuration options.

Contact DigiCert Support if you need additional help.

What's next

After verifying the integration is working, users can start signing on and authenticating through Citrix FAS. They will get certificates from DigiCert Autoenrollment Server and you can monitor and manage the certificates in DigiCert​​®​​ Trust Lifecycle Manager.

To avoid outages, make sure to renew the Citrix RA certificate as it approaches expiration.