bg-tutorials

How to Install an SSL Certificate on Citrix Access Gateway 5.0

This guide shows you how to install an SSL certificate on Citrix Access Gateway 5.0: import the server certificate, install the intermediate, and link them into a complete chain of trust. The steps use the Access Gateway Management Console and apply to both the physical 2010 series and the VPX virtual appliance.

Important: Citrix Access Gateway 5.0 is end of life. Citrix retired the standalone Access Gateway line years ago, and remote-access workloads now run on NetScaler Gateway (previously branded Citrix Gateway) under Cloud Software Group. If you are setting up a new deployment, or migrating off Access Gateway 5.0, follow our companion tutorial on how to install an SSL certificate on NetScaler instead. The steps below are kept for administrators who still maintain a legacy CAG 5.0 appliance and need to renew its certificate.

Generate a CSR code for Citrix Access Gateway 5.0

If you already have your CSR and the issued certificate files from the Certificate Authority, skip ahead to Install an SSL certificate on Citrix Access Gateway 5.0.

To get an SSL certificate you first create a CSR (Certificate Signing Request), a block of encoded text that contains your domain and organization details. You have two options:

  • Generate the CSR off-box with our CSR Generator. The tool produces both the CSR and the matching private key; save them safely, you will need the key when you install the certificate on the appliance.
  • Generate the CSR directly on the appliance by following our CSR on Citrix Access Gateway tutorial. The private key stays on the appliance and the CA returns the signed certificate.

Submit the CSR during your order. After the CA validates and issues your certificate, you will receive a ZIP archive containing your primary certificate and one or more intermediate certificates. Extract the archive and continue with the steps below.

Install an SSL certificate on Citrix Access Gateway 5.0

On Citrix Access Gateway 5.0 the certificate is installed as a PEM file through the Management Console. You upload the server certificate, upload the intermediate (CA bundle), then link the two so the appliance serves a complete chain. Work through the steps in order.

Step 1: Install the server (primary) certificate

Open your primary certificate file in a plain-text editor such as Notepad or Notepad++, never in Microsoft Word or another rich-text editor (those add hidden characters that break the PEM). Copy the full contents of the file, including the BEGIN and END lines:

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAQ... (your certificate body) ...
-----END CERTIFICATE-----

Each marker must have exactly five hyphens on either side and no extra spaces or blank lines. Save the file as server.pem.

Then in the Access Gateway Management Console:

  • Click Management > Certificates.
  • On the right side of the Certificate Management panel, click Import and choose Server (.pem).
  • In the Select file to upload dialog, browse to your server.pem file and click Open.
  • If the appliance prompts for the private key and passphrase (because the CSR was generated off-box), provide them now. If you generated the CSR on the appliance itself, the private key is already present and no prompt appears.

The certificate appears in the Certificates table once the upload completes.

Step 2: Install the intermediate certificate

Open the intermediate certificate file (commonly named intermediate.crt, ca-bundle.crt, or similar) in the same plain-text editor. If the CA delivered a bundle that contains more than one intermediate, the file may include several BEGIN / END blocks stacked one after another. Leave them in order, do not split them. Save the file as intermediate.pem.

Back in the Access Gateway Management Console:

  • Click Management > Certificates.
  • Click Import and select Trusted (.pem).
  • Browse to intermediate.pem and click Open.

No private key or password is required for an intermediate certificate.

Step 3: Link the intermediate to your server certificate

Uploading both files is not enough on its own. Access Gateway only sends the intermediate during a TLS handshake when you explicitly link it to the server certificate. Without this step, clients see a broken chain and modern browsers refuse to connect.

  • Click Management > Certificates.
  • In the Certificates table, select your server certificate.
  • Click Add to Chain on the right side of the panel.
  • In the dialog box, select the intermediate certificate you just uploaded and click Add.
  • If the CA returned more than one intermediate, repeat the Add step for each one, in the correct order: server certificate at the bottom, intermediates above it, root at the top.
  • Click Close to finish.

Step 4: Save and activate the configuration

Save the configuration in the Management Console. Once the upload and chain are in place, Access Gateway uses the new server certificate for HTTPS connections to the public address. If the appliance does not pick up the new certificate immediately, restart the Access Gateway services from the Management Console so it is reloaded.

Test the SSL installation

After installing, open the gateway URL over https:// in a browser and check the padlock and certificate details. For a deeper view, scan the public-facing address with our SSL Checker for an instant report on the certificate, the chain, and protocol support. If the report says the chain is incomplete, the intermediate was uploaded but not linked: repeat Step 3 above.

Frequently Asked Questions

Is Citrix Access Gateway 5.0 still supported?

No. Citrix Access Gateway 5.0 is end of life and no longer receives security or firmware updates from Citrix. Remote-access workloads have moved to NetScaler Gateway (briefly branded Citrix Gateway and now NetScaler Gateway again under Cloud Software Group). If you can replace the appliance, do so. The installation steps above are kept for administrators who still need to renew the certificate on a legacy appliance.

What is the difference between Citrix Access Gateway 5.0 and NetScaler Gateway?

Citrix Access Gateway 5.0 was the older standalone remote-access appliance, configured through the Access Gateway Management Console. NetScaler Gateway runs on the NetScaler platform and is configured through the NetScaler GUI under Traffic Management > SSL > Certificates. The certificate install flow is different. See our NetScaler SSL installation tutorial for the supported path.

Do I have to link the intermediate certificate on Citrix Access Gateway?

Yes. Uploading the intermediate as a Trusted (.pem) file only stores it on the appliance. You also have to attach it to the server certificate with Add to Chain, otherwise the appliance only sends the end-entity certificate during the TLS handshake and clients report an incomplete chain.

Why does my PEM upload fail or break the management console?

Two common causes. First, the file was saved from a rich-text editor (Word, WordPad), which inserts characters that invalidate the PEM. Open the certificate in Notepad or Notepad++ and save again as plain text. Second, the file contains more than one CERTIFICATE block in a place that expects only one: import a multi-certificate bundle as Trusted (.pem), not as a server certificate. See Citrix article CTX238556 for the management-console recovery procedure if a bad PEM has already locked you out.

Do I need to restart Citrix Access Gateway after installing a certificate?

Not always. Once you save the configuration after the upload + chain steps, the appliance starts serving the new certificate on its HTTPS address. If a connection still shows the old certificate, restart the Access Gateway services from the Management Console so it is reloaded. The reboot is usually quick, but plan a brief maintenance window.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.