Who Should Read This Article

This article is for customers who use the Web Self Service appliance released with XenServer v6.1 and earlier versions.


This article describes the process of generating a new SSL certificate for the Web Self Service (WSS) appliance. Customers should either generate a per-WSS certificate following the procedure below or replace with a new default certificate using the instructions in CTX137714.


WSS maintains its own SSL certificate which expires periodically. The default certificate included with the WSS appliance expires expires on Friday 3rd May 2013 at 11.32 UTC. After this point, some web browsers may refuse to connect to WSS, or do so only after issuing warnings which may cause concern about the validity of the connection.

Customers should generate new certificates (or replace with a new default certificate) unless they have already installed their own certificates (following the instructions in Appendix B of the Web Self Service Installation Guide).


Root access to the WSS appliance.


  1. Open the console of the WSS appliance, and log on as the root user.
  2. Stop the webss service: to do this enter:

    /etc/init.d/webss stop

  3. Rename and move the old .crt and .key files as ssl.crt.orig and ssl.key.orig. To do this enter:

    cd /root/sse/conf
    mv ssl.key ssl.key.orig
    mv ssl.crt ssl.crt.orig

  4. Create a new private key and associated self-signed X509 certificate, which will be valid for 1096 days (three years). Enter the following:

    openssl req -x509 -newkey rsa:2048 -keyout ssl.key -out ssl.crt -nodes -days 1096

    Note: Customers may choose a different value for the number of -days: this value specifies the number of days until the new certificate will expire.

  5. You will be prompted to enter information that will be incorporated into the certificate request. The fields are Country Code, State or Province Name, Locality, Organization Name, Organizational Unit Name, Common Name, and Email Address. If you would prefer to leave these fields blank, enter '.'
  6. After this, a new ssl.key and ssl.crt are generated.
  7. Start the webss service: to do this enter:

    /etc/init.d/webss start

More information

For information on installing Web Self Service, refer to CTX135097.

If you experience any difficulties, contact Citrix Technical Support.