2X Application Server CSR and Installation Instructions

2X Application Server CSR Creation

By enabling SSL encryption, your 2X Gateway provides encryption to your terminal servers. You can enable clients to connect using SSL by checking the box to "Enable SSL on Port:", usually using 443 as the default SSL setting. You can find this option under the SSL/TLS tab of the 2X Secure Client Gateway Properties window.

To access the Gateway Properties window, click on the Farm in the Navigation panel of the 2X Application Server and Load Balancer Console and then click on Gateways. Next, click the Gateway you want to edit and click "Properties."

To create a CSR for your 2X Application Server, open the Secure Client Gateway Properties window and go to the SSL/TLS tab, and then choose to "Generate new certificate...". A new window will appear, into which you will enter the following information:

  • Country code: If you do not know it, you can find your country code here.
  • Full state or province: The state in which your organization is primarily located.
  • City: Usually the location of your corporate headquarters, as opposed to your current location.
  • Organization: Full legal business name of your organization (or your name, for an individual).
  • Organization unit: Your division within the company, or the division for which the certificate is being requested (e.g., Marketing).
  • E-Mail: Your email address.
  • Common name: Usually the FQDN of the server to which your certificate is being issued (www.domain.com, mail.domain.com, or *.domain.com).
  • Save file to: The location to which your certificate request and private key will be saved.

Once you have generated your CSR file you can send it to ¶ºÒõ¹Ý during the order process or upload it to your account if reissuing a certificate.

Installing an SSL Certificate on a 2X Application Server

From the SSL/TLS tab of the 2X Secure Client Gateway Properties window, click the "..." link to browse to the Private Key you created during the CSR creation process, and then again to find the Certificate file that was returned to you from ¶ºÒõ¹Ý. If you receive a certificate file that includes an intermediate (all ¶ºÒõ¹Ý certificates are issued with one or more intermediates for security purposes), you will want to combine those two files into one .pem file before enabling your certificate.

To create that file, simply open both certificate files in a text editor and copy them into a new file in the following format:

-----BEGIN CERTIFICATE-----
(Contents of your_domain.crt file)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Contents of Intermediate Certificate File
-----END CERTIFICATE-----

You should be able to enable the certificate by browsing to your new certificate.pem file and selecting it like you selected the private key, and then pressing the OK button at the bottom of the window.

Troubleshooting

If you get the error unable to get local issuer certuficate. <20> you will need to add the intermediate certificates to the trusted.pem file on each of the clients by doing the following:

  1. Open the file ¶ºÒõ¹ÝCA.crt in a text editor, select all, and copy to the clipboard.

  2. Open the file trusted.pem in a text editor like Notepad:
    Add the following line after the entry ending with -----End Certificate----- for ¶ºÒõ¹Ý Assured ID Root CA.
    # ¶ºÒõ¹Ý High Assurance CA-3
    (Paste the contents of ¶ºÒõ¹ÝCA.crt)

  3. Add an entry to trusted.pem for the second intermediate certificate ¶ºÒõ¹ÝCA2.crt:
    Enter the following name for the certificate
    # ¶ºÒõ¹Ý Bridge Root
    (Paste the contents of ¶ºÒõ¹ÝCA2.crt)

  4. After updating the trusted.pem file you will then need to push this file to all of the client machines, then restart the client and this error should then be corrected.

SSL Certificate Install & CSR Creation in a 2X Application Server

How to generate a CSR or Install a Certificate on a 2X Application Server