Recently, I had the opportunity to install a wildcard certificate on a Citrix Access Gateway. For this install, there were two Access Gateway appliances in a DMZ and the license server, housing the Access Gateway licenses, was on the internal network. My initial research didn’t turn up much, but I did find the following items within the Access Gateway Administrators Guide:
The following are taken directly from the Access Gateway Administrator’s Guide:
1. Using Wildcard Certificates
The Access Gateway supports validation of wildcard certificates for Secure
Access Clients. The wildcard certificate has an asterisk (*) in the certificate
name. Wildcard certificates can be formatted in one of two ways, such as
*.mycompany.com or www*.mycompany.com. When a wildcard certificate is
used, clients can choose different Web addresses, such as http://
www1.mycompany.com or http://www2.mycompany.com. The use of a wildcard
certificate allows several Web sites to be covered by a single certificate.
2. Important The FQDN must match what is on the digital certificate and the license for the Access Gateway.
So, it appears to be supported, and perhaps even doable.
Then I came across this Citrix Knowledge Center article. The section of the article of most concern to me is shown below:
“Some of the problems that may occur when dealing with Access Gateway and certificates are as follows:
Verification Failure error during upload of certificate.
This will happen if you try to upload a certificate without a private key. A common situation is where a company has multiple Access Gateways and uploading the same cert to each gateway.
The resolution in this case is to generate a new CSR and have a new certificate issued with the private key.”
So, maybe it won’t work since I want to use the same wildcard certificate on each Access Gateway.
Well, I proceded to convert and install the wildcard certificate on each Access Gateway. I set the External FQDNs on each CAG as cag1.domain.com and cag2.domain.com respectively. Upon the next reboot, I got the “Verification Failure” error on each device which, in this case, caused them to reboot themselves after a few minutes. The exact error displayed on the CAG console:
I followed the advice given, ie, reset the server certificate and reboot the CAG.
After the reboot, I uploaded the wildcard certificate to each CAG once again, but this time, I did not specify an External FQDN on the CAGs and rebooted. This time, the CAGs stayed up and clients could successfully use the Secure Access Client for HTTPS VPN access and the Web Interface for connecting to specific published applications.
To recap, to use the same wildcard certificate on each CAG, I uploaded the certificate to each CAG and left the External FQDN option blank. With this configuration, connectivity to internal resources can be achieved through the CAG using the Secure Access Client or the Web Interface.
What I’d like to know is if any of you have used wildcard certificates on your CAGs, and if so, what do your configurations look like?