How to Use OpenSSL with a Windows Certificate Authority to Generate XenServer Certificates

This article describes how to create a certificate using OpenSSL in combination with a Windows Certificate Authority and transfer the certificate to a XenServer host.

To enable trusted SSL communication for XenServer management through XenCenter, XenDesktop, or any other product, a trusted certificate is required on the XenServer host. This method is similar to CTX128617 - How to Use IIS to Acquire SSL Certificates for XenServer, except OpenSSL is used to generate the certificate requests.

This method can be scripted to easily replace certificates after expiration, and also gives the ability to store the certificate key pair. Should a XenServer require rebuilding, there is no need to repeat the request process. Simply upload the archived key pair to the server.
The following steps simulate creating a certificate for a XenServer named “xenserver1” in the domain “domain.com”. The Certificate Authority is named CA1 on server DOMAINCA. The password used for the private key pair is “citrixpass”.

Following are the requirements:

• OpenSSL Win32

• Microsoft Certificate Authority

• WinSCP

Complete the following procedure:

1. Install OpenSSL on a workstation or server. Ensure that the user performing the certificate request has adequate permissions to request and issue certificates.

2. Create the certificate request and private key:
   openssl req -newkey rsa:2048 -keyout xenserver1prvkey.pem -nodes -out xenserver1.req -subj /CN=xenserver1.domain.com/O=Organization/C=US/ST=GA/L=Atlanta
   For more specifics on creating the request, refer to OpenSSL req commands. Adjust Common name, Organization, Country, State, and Location to reflect your information. If spaces exist in your information, use quotes to enclose the -subj arguments.

3. Submit the request to Windows Certificate Authority using CertReq:
   certreq -submit -binary -attrib "CertificateTemplate:WebServer" -config DOMAINCA\CA1 xenserver1.req xenserver1.cer
   Windows Certificate Authorities only export certificates in Base64 or Binary encoding. Base64 is the default, so binary encoding requires the extra switch -binary.
   For full CertReq syntax, refer to CertReq Command Line Reference

4. Convert the issued certificate to PEM format:
   openssl x509 -inform der -in xenserver1.cer -out xenserver1.pem

5. Merge the issued certificate and private key into Pkcs12 format.
   openssl pkcs12 -export -inkey xenserver1prvkey.pem -in xenserver1.pem -out xenserver1.pfx -passout pass:citrixpass

6. Convert the Pkcs12 key pair into a PEM keypair for importing into XenServer.
   openssl pkcs12 -in xenserver1.pfx -out xenserver1keypair.pem -nodes -password pass:citrixpass

7. Transfer the key pair to XenServer. To get this file on to XenServer, this procedure uses WinSCP. A portable version is available for download here:
   http://portableapps.com/apps/internet/winscp_portable

8. Open WinSCP and start a session to your XenServer:
   

9. Browse to /etc/xensource/ in the right pane and the location with your PEM certificate in the left pane:
   

10. Xapi-ssl.pem is the certificate currently in use on your XenServer. Rename this file to?? “xapi-ssl.pem.original”.
    

11. To copy your new certificate, drag your PEM certificate from the left pane into the right pane. The following screen shot prompts for verification.
    

12. Rename the copied PEM file to “xapi-ssl.pem”.
    

13. For security, modify the properties of the file to Read Only as shown:
    

14. From the XenServer console, issue a restart command for the xapissl service:
    

15. Browse to your XenServer over https to verify your certificate is installed properly: