2X Application Server CSR and Installation Instructions
By enabling SSL encryption, your 2X Gateway provides encryption to your terminal servers. You can enable clients to connect using SSL by checking the box to "Enable SSL on Port:", usually using 443 as the default SSL setting. You can find this option under the SSL/TLS tab of the 2X Secure Client Gateway Properties window.
To access the Gateway Properties window, click on the Farm in the Navigation panel of the 2X Application Server and Load Balancer Console and then click on Gateways. Next, click the Gateway you want to edit and click "Properties."
To create a CSR for your 2X Application Server, open the Secure Client Gateway Properties window and go to the SSL/TLS tab, and then choose to "Generate new certificate...". A new window will appear, into which you will enter the following information:
- Country code: If you do not know it, you can find your country code here.
- Full state or province: The state in which your organization is primarily located.
- City: Usually the location of your corporate headquarters, as opposed to your current location.
- Organization: Full legal business name of your organization (or your name, for an individual).
- Organization unit: Your division within the company, or the division for which the certificate is being requested (e.g., Marketing).
- E-Mail: Your email address.
- Common name: Usually the FQDN of the server to which your certificate is being issued (www.domain.com, mail.domain.com, or *.domain.com).
- Save file to: The location to which your certificate request and private key will be saved.
Once you have generated your CSR file you can send it to DigiCert during the order process or upload it to your account if reissuing a certificate.
Installing an SSL Certificate on a 2X Application Server
From the SSL/TLS tab of the 2X Secure Client Gateway Properties window, click the "..." link to browse to the Private Key you created during the CSR creation process, and then again to find the Certificate file that was returned to you from COMODO. If you receive a certificate file that includes an intermediate (all COMODO certificates are issued with one or more intermediates for security purposes), you will want to combine those two files into one .pem file before enabling your certificate.
To create that file, simply open both certificate files in a text editor and copy them into a new file in the following format:
(Contents of your_domain.crt file)
(Contents of Intermediate Certificate File
You should be able to enable the certificate by browsing to your new certificate.pem file and selecting it like you selected the private key, and then pressing the OK button at the bottom of the window.
If you get the error unable to get local issuer certificate. <20> you will need to add the intermediate certificates to the trusted.pem file on each of the clients by doing the following:
Open the file COMODORSACA.crt in a text editor, select all, and copy to the clipboard.
Open the file trusted.pem in a text editor like Notepad:
Add the following line after the entry ending with -----End Certificate----- for ComodoRSAADDTrustCA.crt
# Comodo RSA AddTrust CA
(Paste the contents of COMODORSAAddTrustCA.crt)
Add an entry to trusted.pem for the second intermediate certificate COMODORSADomainValidation/Organization/or EV CA.crt:
Enter the following name for the certificate
# Comodo Domain Validation CA or Comodo Organization Validation CA or Comodo EV Validation CA
(Paste the contents of ComodoRSADomainValidationCA.crt)
After updating the trusted.pem file you will then need to push this file to all of the client machines, then restart the client and this error should then be corrected.