This topic provides an example of setting a self-signed certificate using OpenSSL for the Integration Broker server that you deployed for the Citrix-Workspace ONE Access integration.

Procedure

  1. Create a self-signed certificate for the Integration Broker server.
  2. Create the ibcerts folder to use as the working directory.
  3. Create a configuration file using the vi openssl_ext.conf command.
    1. Copy and paste the following OpenSSL commands into the configuration file.

      # openssl x509 extfile params

      extensions = extend

      [req] # openssl req params

      prompt = no

      distinguished_name = dn-param

      [dn-param] # DN fields

      C = US

      ST = CA

      O = VMware (Dummy Cert)

      OU = Horizon Workspace (Dummy Cert)

      CN = hostname (Virtual machine hostname where the Integration Broker is installed. )

      emailAddress = EMAIL PROTECTED

      [extend] # openssl extensions

      subjectKeyIdentifier = hash

      authorityKeyIdentifier = keyid:always

      keyUsage = digitalSignature,keyEncipherment

      extendedKeyUsage=serverAuth,clientAuth

      [policy] # certificate policy extension data

      Note: Type the CN value before you save the file.
    2. Run this command to generate a private key. 
      openssl genrsa -des3 -out server.key 1024
    3. Type the passphrase for server.key, for example, vmware.
    4. Rename the server.key file to server.key.orig. 
      mv server.key server.key.orig
    5. Remove the password associated with the key. 
      openssl rsa -in server.key.orig -out server.key
  4. Create a CSR (certificate signing request) with the generate key. The server.csr is stored in your working directory. 
    openssl req -new -key server.key -out server.csr -config ./openssl_ext.conf
  5. Sign the CSR. 
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile openssl_ext.conf

    The expected output displays.

    Signature ok subject=/C=US/ST=CA/O=VMware (Dummy Cert)/OU=Horizon Workspace (Dummy Cert)/CN=w2-hwdog-xa.vmware.com/emailAddress=EMAIL PROTECTED Getting Private key

  6. Create P12 format. 
    openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
    1. Press Enter at the prompt for an export password.
      Important: Do not enter a password.
      The expected output is server.p12 file.
    2. Move the server.p12 file to the Windows machine where Integration Broker is installed.
    3. From the Command Prompt, type mmc.
    4. Click File > Add or Remove Snap-ins.
    5. In the Snap-in window, click Certificates and click Add.
    6. Select the Computer account radio button.
  7. Import the certificate into the root and personal store certificates.
    1. Choose All Files in the dialog.
    2. Select the server.p12 file.
    3. Click the Exportable check box.
    4. Leave the password blank.
    5. Accept the defaults for the subsequent steps.
  8. Copy the certificate into the Trusted Root CAs in the same mmc console.
  9. Verify that the content of the certificate includes these elements.
    • Private key
    • CN in the subject attribute that matches the Integration Broker Host Name
    • Extended key usage attribute with both client and server authentication enabled