Tuesday, September 20, 2016

Convert to .PFX certificate for Windows if you receive Server certificate (.crt) and Private key(.key)

Good day All,

Welcome back!!! We had a request to apply SSL for a website during the conversation it was suppose to be applied at F5 Load Balancer so the LB team took care of generating the certificate.

Little later client requirement changed and it was decided that SSL should be applied at Windows Web server and not on Load balancer and it should just redirect the traffic to web server.

So the LB team sent me the Certificate file which is .crt and a very confidential file is the .key file which has the private key for the certificate was sent only to authorized people.

Now i had to find a way to merge both so that i can generate a web server certificate with Privatekey embed.

Follow the below steps:

1.Got to following link https://slproweb.com/products/Win32OpenSSL.html and download either 32 bit or 64 depending on the OS



2. Its simple next,next installer and then you will see a folder called C:\OpenSSL-Win64 depending on which version you installed

3. Copy the .cert and .key file to following location C:\OpenSSL-Win64\bin

4.Open a Command Prompt with Administrative rights and change path to C:\OpenSSL-Win64\bin and run command as below in screen shot



Format of Certificate should be pkcs12
Dummy name to export the certificate as PFX
Private key path
Server certificate path
Friendly name
When you hit enter it will ask you set a password, remember that password or make a note if it..
After verifying then you will see that there is a file with .pfx extension generated as below



5. Now open certificate.MMC and import the .pfx and note during the import it will ask for the password you set during Step 4.



Enable the checkbox which says this key as exportable , in case for future use you want to export the certificate from certificate.mmc store.

6. Now open the certificate under personnel store and you will see now that the Server certificate has private key.





Let's assume you want to do vice versa that is you have .PFX certificate and you want to extract Private key(.key) for say Load balancer either F5 or Netscaller then you will have to follow the below steps


Import password is the password for the pfx
Enter Pem pass phrase is just a some password you will have to give

Note: the reason we have to do rsa temp key to private key is that it's observer without rsa command some spaces are in the key which when added to load balancer will through error.



The steps above helped and hopefully this will help someone too!!!!
Until next one all have great day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Sunday, September 18, 2016

SSL on 2 Node Storefront 3.6 Load Balancing Servers

Good day All,

Welcome back!!!

We got a request to apply SSL to Storefront Servers recently even for internal users and also add 1 more Server for Load balancing .The current Setup we had was 1 Node Storefront Server with 2.x version running on it

Below are the steps we followed to fulfill the request

Step 1. We add a new Storefront Server with same 2.x version and added the Server to Load balancer. The steps are pretty straight forward..

a.Installed Storefront on the new node
b.Go to primary node, Click Add Server under Server Group in Citrix Storefront MMC and it will show a Authorization code as below



















c. Login to new Secondary Storefront Server and click join to Storefront farm in welcome screen when you open Citrix Storefront MMC and then type in the Primary Node Server name and Authorization code , OLA the Server is added to Load Balancer
c. Requested a new Virtual IP(VIP) from F5 Load Balancer team and it was configured to Load Balance traffic on port 80 between both Storefront Servers.
d. Last step was to update the DNS record as it was earlier 1 node and it was pointing to the Primary Storefront Server IP. So we changed the DNS record to point to F5 Load Balancer VIP


Step 2: We wanted to upgrade the Storefront Servers from 2.x to 3.6 before we apply SSL. If you have a huge user base and can't afford to have users downtime for very long time then you probably will have to make sure you involve Load Balancer team during the upgrade process

a. Request Load Balancing team to remove Primary Server from Load Balancing.
b. Download the Setup and run the upgrade, simple straight forward upgrade.
c.After testing upgrade , add the upgraded Server to Load Balancing and remove the old Server from it
d.Upgrade the Secondary node
e.Request Load Balancing team add the other Server

As we had required downtime we didn't involve Load Balancer team and Servers was upgraded 1 Node at a time.

Step 3: Final step was to apply SSL on both the Storefront Servers.
As our requirement was to apply SSL for internal users we wanted to have the SSL traffic get terminated at Storefront Servers and not at F5 Load Balancer. Also we wanted if any users types in url then it should get auto redirected to 443 traffic and send to Storefront Servers.

a. A certificate was requested .Generating certificate etc are pretty straight forward process and there are so many articles out there so will not be covering it.
b.Requested the F5 Load Balancer team to reconfigure the Virtual IP(VIP) so that HTTP to HTTPS redirection works and HTTPS traffic is sent to both Storefront Servers.
c. Certificate as uploaded to Certificate.MMC store and also root and Intermediate Certificate was added to both Storefront Servers.
c.On both Citrix Storefront Servers under IIS, new binding was added for 443 as below under Default website and under the tab which says SSL Certificate , the certificate we processed earlier was pointed and applied.
























d.Same steps as above needs to be done on the other node as well.
e. last Step was under Primary  Citrix Storefront Server MMC, right click Server Group and click change Base URL and change the record from HTTP to HTTPS
f. During the testing we started to see the below error when we browsed the URL.



















Troubleshooting Steps performed:

1. We know that before we applied SSL storefront was working fine so to identify if this error is on both nodes or 1 single node , so i went ahead and shutdown Secondary Server.
2. When tested, Storefront was working fine and we able to browse the Apps.
3. So this time i powered off Primary and brought online Secondary, now we Started to see the same error. Now i know the issue is with Secondary node. As we had load balancer sending traffic to both SF Servers so we seeing the above error when we hinting the Secondary node.
4. To fix the issue i brought the primary node online and went to Server group and started to check around.
5. Anyone any guess? what would be the fix? well guess what when i checked the Last Synchronization time it was showing couple of days ago, so clicked under Actions to propagate changes to all the other Nodes, and ola the issued got fixed.



To make sure we do a through testing , following things was tested

1. Primary Node was shutdown and Secondary Node was tested with Node IP, Load Balancer IP and HTTPS and application was tested.
2. Vise versa was tested
3. Last step was both Servers was brought online and tested both Servers with IP, VIP IP,HTTPS.

So this is how we completed this request, hopefully this helps someone...........

Until next one you all have great day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!