Test the Citrix FAS integration
To test for successful integration of Citrix FAS with DigiCert® Trust Lifecycle Manager, you can use the Citrix command-line tools to try pre-generating user certificates.
Pre-generate user certificates
Enter the following Citrix cmdlet in Windows PowerShell to try pre-generating a user certificate through Citrix FAS:
New-FasUserCertificate -Address <FAS server host> -UserPrincipalName <UPN of End User> -CertificateDefinition <rule name>_definition -rule <rule name>
For example:
PS C:\Users\Administrator> New-FasUserCertificate -Address localhost -UserPrincipalName user1@ws2016.pkidev.bbtest.net -CertificateDefinition default_definition -rule default
Success case
If the Citrix FAS integration is working as expected, the response to the user certificate pre-generation command should look like:
PS C:\Users\Administrator\Desktop> New-FasUserCertificate -Address localhost -UserPrincipalName user1@ws2016.pkidev.bbte
st.net -CertificateDefinition default_definition -rule default
ThumbPrint : 1F975D2CD792DCBD49E93DDA728F712467ED6ECA
UserPrincipalName : user1@ws2016.pkidev.bbtest.net
Role : default
CertificateDefinition : default_definition
SecurityContext :
ExpiryDate : 11/22/YYYY 11:50:54 PM
Certificate : -----BEGIN CERTIFICATE-----
MIIFfjCCBDKgAwIBAgIUA6en6bgUKCj7mb1d7jJoow7yiF8wQQYJKoZIhvcNAQEKMDSgDzANBglg
hkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAMIGiMQswCQYDVQQG
EwJKUDETMBEGA1UECBMKS2FnYXdhLWtlbjEVMBMGA1UEBxMMS2F3YXNha2ktc2hpMREwDwYDVQQR
EwgyMTItMDAxMzEmMCQGA1UECRMdU2Fpd2Fpa3UsIEhvcmlrYXdhLWNobyA1ODAtMTYxFTATBgNV
BAoTDFRlc3QgQWNjb3VudDEVMBMGA1UEAxMMSUNBIFJTQSAyMDQ4MB4XDTIzMTExNzA3NTA1NFoX
DTIzMTExODA3NTA1NFowFTETMBEGA1UEAwwKVXNlcjEgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJrLrIqIVYLUQdPtYJmCMiiM6AZ0Ka1r1YHaZFYiReQfkADEtBJEzkvBZdWP
XWiCiRslj5lt8b/3n5/fZHdtgVl6IJOQH7XXu2jAXHDiIHFIpKLtCZ/JqOVwuVb/Xerii8qqflMv
mtMAjIdG3NSucgj92xynXFbcPEaDNCwOlUxbWSBERgTJ33cBIxMpLZk47aVIBNF+UezWMNZhTQhi
uWQcPA0us1/g5b3Z2/PvBIZ8rDmfOwh4skQbM/nK0x5vAioSoYg2WrYG7wAuabhkVxyyiy97jQRZ
Egf4WGNBCnRK/UxI5GLb13iPTTF1KCqGWA/IdQTLdtlBepiw6luhQjECAwEAAaOCAc4wggHKMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF2P17Fyd/ejjrXXJHsWtcav/bWJMB8GA1UdIwQYMBaAFBac
YEXWbdTvTvNAHppInR1IwJzXMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSUEGDAWBggrBgEFBQcDAgYK
KwYBBAGCNxQCAjApBgkrBgEEAYI3FQoEHDAaMAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwOQYD
VR0RBDIwMKAuBgorBgEEAYI3FAIDoCAMHnVzZXIxQHdzMjAxNi5wa2lkZXYuYmJ0ZXN0Lm5ldDB2
BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLmRjb25lLmNsdXN0ZXIubG9j
YWwwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuZGNvbmUuY2x1c3Rlci5sb2NhbC9JQ0FSU0EyMDQ4
LmNydDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmRjb25lLmNsdXN0ZXIubG9jYWwvSUNB
UlNBMjA0OC5jcmwwKwYJKwYBBAGCNxUHBB4wHAYUYIZIAYb9bCcBAQGTkvvOt8SEsSMCAWQCAQEw
QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME
AgMFAKIDAgFAA4IBAQA9vQp6edm6VpOGh0fbOqzucMWNS26ZOs/iEyTuNvFX7v0V7oJBv0HYYUxP
DKUDSug+3mMnAwUN1OqNZ6sAi8hvE5qLQee7Y74wCvZR4qMEqWJSKF8hRyqw8cRyd1MZ72qB4MSo
judmh49LY7k5zVTelVtREtA6vgE2dLO3+FL5S91O++I7SWuMq/HHhj1yKAa/LqNdIDg3n6GlVNoI
7TqaZUS7IJq2Sp+pO6D7SJrT10YbDD6p/HwB/0gTYT1f38IQ37FBUUPqSwNqpSM5s4W8uNI3HaZM
6mcwIjIt2SjIIcspp7688G+dwoY0ex9hT8V4GI+ce9eT4l+e0cNToCmO
-----END CERTIFICATE-----To check the current user certificates in Citrix FAS, enter the following commands in Windows PowerShell (requires proper configuration of the group policy as described here):
> $CitrixFasAddress=(Get-FasServer)[0].Address > Get-FasUserCertificate
For example:
PS C:\Users\Administrator\Desktop> $CitrixFasAddress=(Get-FasServer)[0].Address
PS C:\Users\Administrator\Desktop> Get-FasUserCertificate
ThumbPrint : 1F975D2CD792DCBD49E93DDA728F712467ED6ECA
UserPrincipalName : user1@ws2016.pkidev.bbtest.net
Role : default
CertificateDefinition : default_definition
SecurityContext :
ExpiryDate : 11/17/2023 11:50:54 PM
Certificate : -----BEGIN CERTIFICATE-----
MIIFfjCCBDKgAwIBAgIUA6en6bgUKCj7mb1d7jJoow7yiF8wQQYJKoZIhvcNAQEKMDSgDzANBglg
hkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAMIGiMQswCQYDVQQG
EwJKUDETMBEGA1UECBMKS2FnYXdhLWtlbjEVMBMGA1UEBxMMS2F3YXNha2ktc2hpMREwDwYDVQQR
EwgyMTItMDAxMzEmMCQGA1UECRMdU2Fpd2Fpa3UsIEhvcmlrYXdhLWNobyA1ODAtMTYxFTATBgNV
BAoTDFRlc3QgQWNjb3VudDEVMBMGA1UEAxMMSUNBIFJTQSAyMDQ4MB4XDTIzMTExNzA3NTA1NFoX
DTIzMTExODA3NTA1NFowFTETMBEGA1UEAwwKVXNlcjEgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJrLrIqIVYLUQdPtYJmCMiiM6AZ0Ka1r1YHaZFYiReQfkADEtBJEzkvBZdWP
XWiCiRslj5lt8b/3n5/fZHdtgVl6IJOQH7XXu2jAXHDiIHFIpKLtCZ/JqOVwuVb/Xerii8qqflMv
mtMAjIdG3NSucgj92xynXFbcPEaDNCwOlUxbWSBERgTJ33cBIxMpLZk47aVIBNF+UezWMNZhTQhi
uWQcPA0us1/g5b3Z2/PvBIZ8rDmfOwh4skQbM/nK0x5vAioSoYg2WrYG7wAuabhkVxyyiy97jQRZ
Egf4WGNBCnRK/UxI5GLb13iPTTF1KCqGWA/IdQTLdtlBepiw6luhQjECAwEAAaOCAc4wggHKMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFF2P17Fyd/ejjrXXJHsWtcav/bWJMB8GA1UdIwQYMBaAFBac
YEXWbdTvTvNAHppInR1IwJzXMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSUEGDAWBggrBgEFBQcDAgYK
KwYBBAGCNxQCAjApBgkrBgEEAYI3FQoEHDAaMAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwOQYD
VR0RBDIwMKAuBgorBgEEAYI3FAIDoCAMHnVzZXIxQHdzMjAxNi5wa2lkZXYuYmJ0ZXN0Lm5ldDB2
BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9vY3NwLmRjb25lLmNsdXN0ZXIubG9j
YWwwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuZGNvbmUuY2x1c3Rlci5sb2NhbC9JQ0FSU0EyMDQ4
LmNydDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLmRjb25lLmNsdXN0ZXIubG9jYWwvSUNB
UlNBMjA0OC5jcmwwKwYJKwYBBAGCNxUHBB4wHAYUYIZIAYb9bCcBAQGTkvvOt8SEsSMCAWQCAQEw
QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQME
AgMFAKIDAgFAA4IBAQA9vQp6edm6VpOGh0fbOqzucMWNS26ZOs/iEyTuNvFX7v0V7oJBv0HYYUxP
DKUDSug+3mMnAwUN1OqNZ6sAi8hvE5qLQee7Y74wCvZR4qMEqWJSKF8hRyqw8cRyd1MZ72qB4MSo
judmh49LY7k5zVTelVtREtA6vgE2dLO3+FL5S91O++I7SWuMq/HHhj1yKAa/LqNdIDg3n6GlVNoI
7TqaZUS7IJq2Sp+pO6D7SJrT10YbDD6p/HwB/0gTYT1f38IQ37FBUUPqSwNqpSM5s4W8uNI3HaZM
6mcwIjIt2SjIIcspp7688G+dwoY0ex9hT8V4GI+ce9eT4l+e0cNToCmO
-----END CERTIFICATE-----Error case
If there is no response from the Citrix cmdlet to pre-generate the user certificate, it indicates a problem with the Citrix FAS integration.
Check the Windows Event Viewer to see if it shows any errors. For example:
 |
The complete error message for event ID number 123 above is:
[S123] Failed to issue a certificate for [upn: user1@ws2016.pkidev.bbtest.net role: default] [exception: The CSR failed at all configured certificate authorities] [correlation: a07c7310-cd1a-4fb4-b2ad-ff9596e8d6e0]
Check the DigiCert Autoenrollment Server (AES) logs for more details about a possible cause of any errors. To learn more about the AES logs, see Log properties configuration options.
Contact DigiCert Support if you need additional help.
What's next
After verifying the integration is working, users can start signing on and authenticating through Citrix FAS. They will get certificates from DigiCert Autoenrollment Server and you can monitor and manage the certificates in DigiCert® Trust Lifecycle Manager.
To avoid outages, make sure to renew the Citrix RA certificate as it approaches expiration.