Recently I was part of a discussion about the creation of a private key and Certificate Signing Request (CSR), in order to obtain a third party certificate, for XenMobile Device Manager (XDM).  This is not covered in our documentation.  There are quite a few different ways this can be accomplished and I wanted to list a few.

1)      Use an IIS box. Most are familiar with this process and it is quite simple to achieve.  Once the certificate is obtained and added to IIS, it can be exported with the key.

2)      If a NetScaler is part of the environment, use it.  Both the key and CSR can be generated on the NetScaler.  After the certificate is added you can export the keystore.

3)      Download OpenSSL for Windows on the XDM server.  The key and CSR can then be generated on the XDM server itself.  This can help ensure the key is not sitting anywhere else in the network.

So there are three different ways to generate XDM’s private key and CSR to obtain a third party SSL certificate.  Options 1 and 3 will probably be covered by your certificate provider.  Any restrictions on key size or algorithms should be provided by your SSL certificate provider.  The XDM keystore file will need to be in PKCS12 format.

Generating an OpenSSL key – http://www.openssl.org/docs/HOWTO/keys.txt

Generating an OpenSSL CSR – http://www.openssl.org/docs/HOWTO/certificates.txt

Creating a PKCS#12 bundle – http://support.citrix.com/article/CTX106630

Changing the server cert on XDM – http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-securityid-configcert-ssl-tsk.html

UPDATE:  I documented this process for a customer of mine in their Nike build guide and figured I would add it here.

1)      Download OpenSSL for Windows.  http://www.openssl.org/related/binaries.html  You may also need the Visual C++ 2008 Redistributable.

2)      Make sure to follow any applicable guidelines in your environment when adding these components.

3)      Open a command prompt on the XDM server.  All commands from here on assume you are in the c:\OpenSSL-Win32\bin directory.

4)      Generate a new private key.  Make sure to use the key size required for your environment.  This example uses a 2048-bit key.

i.            “openssl genrsa –des3 –out <keyfile name> 2048”

5)      Generate the CSR.  You will get one warning about the openssl.cfg not being found even when specifying the config in the command.

i.            “openssl req –new –key <keyfile> -out <csr file name> -config .\openssl.cfg”

6)      Submit the CSR to the CA for signing and place the certificate in the c:\OpenSSL-Win32\bin directory with the key.

7)      Create a PKCS#12 bundle.   Make sure to password protect the bundle during creation.

i.            “openssl pkcs12 –export –in <cert file> -inkey <keyfile> -out <bundle name>”

8)      Create a folder on the XDM server to contain the bundle, e.g. C:\XDMCert.

9)      If desired, delete the key, csr, and bundle from the bin directory and remove OpenSSL.