How to create a Comodo bundle for the CAG

My past week has been filled with a puzzle, I was assigned a simple task which turned out to be a bit more complex.

For a Customer we implemented a Citrix Access Gateway to make sure their users can connect remotely.

The certificates for the CAG were ordered at Comodo.

From them we received 5 files in total.

Server : *.site.extension.crt

Root certificate : AddTrustExternalCARoot.crt

Intermediate 1 : UTNAddTrustSGCCA.crt

Intermediate 2 : ComodoUTNSGCCA.crt

Intermediate 3 : ComodoHighAssuranceSecureServerCA.crt
If you search the Internet for a solution on how to import these file in the correct order you might get confused. We contacted Comodo because with the instructions we found we failed.

On the Comodo site the instruction says you should create a bundle form Intermediate 3 to 1 and the root certificate, this instruction is wrong.
If you follow that instruction you’ll never get a succesfull import of the certificates. After several days of talking to Comodo (who were very cooperative) we got an instruction on how to create a bundle. this instructions was completely different from the one in their knowledge base.

Here’s what you need to do to create a good bundle for a CAG with Comodo certificates.
What you need to do is to create a bundle from the intermediates and the server certificate and import that file as a signed certificate on the CAG.

So place all certificates you have gotten from Comodo in one directory and open the Command prompt.

browse to the created folder and create a bundle with the copy command.
> Copy ComodoHighAssuranceSecureServerCA.crt+ComodoUTNSGCCA.crt+UTNAddTrustSGCCA.crt+*.site.extension.crt anyname.crt
This will create a CRT file with all other files embedded, you can also do this via Notepad but make sure not to add extra spaces or line breaks.

After you’ve done this you can import this bundle file into the CAG on the Adminsitration TAB under “Import singed CRT certificates”.
The one file that’s left over, AddTrustExternalCARoot.crt, needs to be imported through the Administration TAB, Manage trusted root certificates.

Browse to the AddTrustExternalCARoot.crt file and import it.

After both files have been imported the CAG needs a restart after which you can use it from any device.
Looking back, because that’s what you do at the end of the year, this was a really simple task after knowing which files belong together.

The one article I did read but didn’t follow was from Citrix, it does exactly say what to do…check it out here if your still interested.

there’s one line in there that says it all…. “append the intermediate certificate to the end of the server certificate and save it as one *.crt file”.

Now I can go and cook Christmas dinner….Hope y’all enjoy the holiday, a Merry Christmas to everyone and see y’all back in 2010.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.