Showing posts from October, 2015

Citrix Access Gateway Certificate Format

I got a call a few days ago to renew the certificate on a Citrix Access Gateway appliance. The appliance was very - and I mean very - old so I had my hands full... After I found out that the proper software for management was installed on the Web Interface servers, I requested the certificate in PFX format in order to get the private key too and scheduled the change for after hours since it requires a restart of the devices. When I tried to install the certificate, the appliances refused to accept it. Then I recalled an article I've read a long time ago, where the author mentioned that the certificate has to be in PEM format and not PFX. After a google search, I found this article on the Citrix Knowledge Center that describes the process of converting a PFX file to PEM for that purpose. All you have to do is to download the openssl binaries and execute the following command in order to convert the file: openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –no

Citrix Command Center Cipher Suites

I recently installed and configured Citrix Command Center on a client to monitor and configure their NetScaler appliances. When I opened the management page with Chrome, I got a message that the server was using a weak DH public key. Since the guys didn't seem to be very helpful with issuing a certificate from their CA, I decided to disable the Diffie-Hellman cipher suites used by Command Center as a workaround. To do that, you have to edit some apache configuration files. The first step is to stop the Command Center service. Then make a backup copy of the following files: 1. CommandCenterInstallDirectory\apache\tomcat\conf\backup\server.xml 2. CommandCenterInstallDirectory\conf\transportProvider.conf Search the server.xml file for "ciphers" to get to the part where the cipher suites are defined and then remove all the DH ciphers.   Set the same ciphers on the <CipherSuites></CipherSuites> part of the transportProvider.conf file. Start the C

Creating a SelfSigned Certificate using Powershell

Most of the time I get my certificates from an Active Directory CA but there are times when I want a temporary certificate to test something, like in a lab for example. With the following commands, you can create and export a self signed certificate: To create the certificate at the Personal store of Local Machine use: New-SelfSignedCertificate -DnsName server.lab.local -CertStoreLocation Cert:\localmachine\my   In most cases, like IIS, you should be ready to assign the certificate to your application server by now. In case you want to export the certificate in PFX format (that included the private key), use the following cmdlets: First, you'll need the thumbprint of the certificate from the above command, so save the output to a variable like:     $Certificate = New-SelfSignedCertificate -DnsName server.lab.local -CertStoreLocation Cert:\localmachine\my   Please note that if you have already created the certificate using the first cmdlet, the second one will create

Powershell Trapping Get-WMIObject

There are many times when I have to connect to remote servers and get information using WMI but not all of the servers in my list are available all the time... Even though the error from the Get-WMIObject cmdlet is not terminating, I want to handle it. So I use the following code to do it: # Declare the variable to hold the result $servicename # Call the Get-WMIObject cmdlet try     {         $servicename = get - wmiobject win32_service - computername $server - ErrorAction Stop       } catch     {         # If an exception is thrown, set the variable to null         $servicename = $null     }   # Check the value of the variable. if ( - Not ( $servicename - eq $null ) ) {      # Continue processing } else {     # Exception was thrown }   I've added the "-ErrorAction Stop" in order to handle the non terminating error.