Let’s say you want to accelerate encrypted MAPI / signed CIFS traffic with BR6.0? Well, firstly you’ll need to join the “server-side” appliance to your domain (see user’s guide section 4.19), then you’ll need a signalling tunnel between your Repeater units. You’ve got your two BR appliances ready to go, crypto license installed – all you’re missing are the certificates.

CTX128920 will take you through the entire procedure, from opening the key store to establishing the secure tunnel between the appliances. At the bottom of the article you will also find the commands necessary to create certificates using openSSL (http://www.openssl.org/).

Let’s also say, you put in time and effort to get a shiny new Windows Certificate Authority going, so of course you’ll want to use the certificates it issues!

Getting the CA Certificate

First you’ll need to make sure your Repeaters trust the certs issued by your CA, so get a CA cert:

DER will do…


Client & Server Certificate

Next, we need a client cert: go back to the CertSrv home, “Request a certificate” and then go for the advanced certificate request.

There are only three settings you need to change.

  • Name
  • Type of certificate
  • Mark keys as exportable

The name itself is not important, but it’ll help find the right certificate later on. The other info is irrelevant…leave the fields empty if you want. 

Make sure you select the right type:

And – most importantly – tick the box!

Click the submit button and then just install the certificate.

Now repeat the process with the only difference of selecting the type “Server Authentication Certificate”.

Open up the MMC, add the Certificates snap-in for “My User account”, find the certs in Personal>Certificates (here’s where the name entered for the request comes in handy if you have many more certs in the same store).

Export them, making sure you export the private key as well.

Finish the configuration

You should now have three files, a CA certificate (*.cer), a server cert and a client cert (both *.pfx) which include their respective private keys. When you import them as shown in http://support.citrix.com/article/CTX128920, make sure you select “Combined Certificate/Private Key Input”.
Import the CA cert to both Repeaters, and then the client cert to one and the server cert to the other. Configure the rest of the secure tunnel settings as per the article, then sit back and proudly admire your accomplishment.