Citrix Blogs

How to Create a CSR for a SAN Certificate Using OpenSSL on a NetScaler Appliance

This article describes how to create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names.

My solution is based on CTX135602, but validated on NetScaler 10.5

Here’s how you do it:

1. Create an OpenSSL configuration file on the local computer by editing the fields to the company requirements.
Note: In the example used in this article the configuration file is “req.conf”.
Note2: “req_extensions” will put the subject alternative names in a CSR whereas “x509_extensions” would be used when creating an actual certificate file.

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = www.company.net 
DNS.4 = company.net 

2. Upload the file to the /nsconfig/ssl directory on the NetScaler appliance. 

3. Logon to NetScaler command line interface as nsroot and switch to the shell prompt.

Run the following commands to create the Certificate Signing Request and a new Key file:
cd /nsconfig/ssl
openssl req -new -out company.com.csr -newkey rsa:2048 -nodes -sha256 -keyout company.com.key.temp -config req.cnf 

Run the following command to verify the Certificate Signing Request:

openssl req -text -noout -verify -in company.com.csr

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Modulus (2048 bit):

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions:

X509v3 Key Usage:

Key Encipherment, Data Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

DNS:www.company.net, DNS:company.com, DNS:company.net

Signature Algorithm: sha256WithRSAEncryption 


Run this command to move the Key file into the correct format for use on NetScaler:

openssl rsa -in company.com.key.temp -out company.com.key

rm company.com.key.temp

4. Download the Certificate Signing Request file “company.com.csr” and provide it to your certification authority of choice for signing.

5. Upload the certificate provided by the certification authority into the /nsconfig/ssl directory on the NetScaler appliance and install the certificate using the previously created “company.com.key” file.

Please post below if you have any problems.

Exit mobile version