Citrix Implementation Guide

Guide to implementing Digi-Access™ on Citrix Access Gateway

Activating and Installing a Digi-Access™ Certificate

Once the user Digi-Access™ application is approved by Digi-Sign Validations Department, the end user will receive an
e-mail message containing instructions on how to activate and install the Digi-Access™ certificate along with the relevant Digi-Access™ Certificate activation URL.

Once entered the URL, click the Collect your Digi-Access™ Certificate button.

Obtaining a Digi-Access™ Client Certificate from Digi-Sign

Access Gateway Advanced Edition

The Access Gateway and the servers running Advanced Edition can both be required to use secure client certificates. Use the following guidelines when configuring for client certificate use:

Defining Client Certificate Criteria

To specify criteria that client certificates must meet, use a Boolean expression. To belong to a group, the user must meet the certificate criteria in addition to passing all other authentication rules that are configured for that group. For example, the following criteria requires that the subject field of the client certificate provided by a user has the Organization Unit (OU) set to Accounting and the Common Name (CN) attribute set to a value matching the user's local user name on the Access Gateway.

Requiring Client Certificates for Authentication

If you want additional authentication, you can configure the Access Gateway to require client certificates for authentication.

The Access Gateway can authenticate a client certificate that is stored in either of these locations:

    - In the certificate store of the Windows operating system on a client computer. In this case, the client certificate is installed separately in the certificate store using the Microsoft Management Console.

Installing your Digi-SSL™ Certificate

To install a certificate file using the Administration Tool

    1. Click the Access Gateway Cluster tab and open the window for the appliance.
    2. On the Administration tab, next to Upload a .crt signed certificate, click Browse. This button is used only when you are installing a signed certificate generated on the Certificate Signing Request tab.
    3. Locate the file you want to upload and click Open

You can also upload the certificate using the Administration Portal.

Password-Protected Private Keys

Enabling SSL communication security on Citrix Access Gateway

To enable the SSL facility on Citrix Access Gateway, an SSL (Digi-SSL™) certificate is required.
Digi-SSL™ certificate can be obtained directly from Digi-Sign and requires a CSR (Certificate Signing Request) code.
A CSR is a file/string containing your certificate application information, including your Public Key, Company Name and the Common Name (mostly FQDN - Fully Qualified Domain Name host name).


Citrix Access Gateway

1. Enabling SSL communication security on Citrix Access Gateway
1.1. Generating a Certificate Signing Request (CSR) using Citrix Access Gateway
1.2. Installing your Digi-SSL™ Certificate on Citrix Access Gateway
1.2.1. Installing your Digi-SSL™ Certificate
1.2.2. Installing the CA Certification Path containing the Root & Intermediate CA Certificates
2. Requiring Client Certificates for Authentication