Summary
This document explains how to generate and install a public certificate. It requires sending the Certificate Signing Request (CSR) to a known Certificate Authority such as VeriSign or a vendor of your choice. There are variations to this process for installing a private certificate which are considered self-signed by the NetScaler device itself.
Step outline:
1. Create a RSA or DSA key.
2. Create a Certificate Signing Request (CSR) for each virtual server that is accessed publicly via a secure connection.
3. Send the CSR to a well know Certificate Authority (CA).
4. Create a server certificate that uses the response from the CA.
It is important to create a naming convention that matches what the file is, for example, www.domain.com.csr, www.domain.com.cert and domain.com.key and so on.
Note: The information, processes, and screenshots are specific to the NetScaler build 6.x only.
Step 1
This creates a RSA or DSA private key for NetScaler. Make sure to have limited access to the private key. This key is required to load a valid certificate issued by the CA. The certificate that you receive from the CA is valid only with the private key that is to create the Certificate Signing Request (CSR). This is used if you do not have one already.
In the NetScaler Configuration Utility, navigate to SSL Certificate > Certificate Management. In the right pane click the Create RSA Key tab to create a private key.
Command
create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform
( DER | PEM )] [-des] [-des3] [-password <string>]
Typicals
• for most companies rsakey will be used.
• <keyFile> is the file that is created when this process is used.
• <keyform> will be in PEM format
• des/des3 will depend upon your company’s security policy.
Key Types:
• RSA - RSA is the public key encryption method used in PGP.
• DSA - digital signature algorithm – Used for government security as per FIPS
Key Formats:
• PEM – Privacy Enhanced Mail – will support multiple certificates.
• DER - Distinguished Encoding Rules - Typically capable of only on certificate.
Results
The command above produces a file <keyFile> that is saved in the /nsconfig/ssl directory.
This file,<keyFile> is also used for such tasks as:
• create ssl certreq
• create ssl cert
• create ssl rsakey
• create ssl dsakey
• add ssl certkey
Step 2
This creates a Certificate Signing Request. In the NetScaler Configuration Utility, navigate to SSL Certificate > Certificate Management. In the right pane click the Create Certificate Request tab to create a private key.
Command
create ssl certreq <reqFile> [-keyFile <input_filename>]
[-fipsKeyName <string>] [-keyform ( DER | PEM )]
Note: This process involves interaction of the CLI to input information, such as Distinguished Name, Company, City, State, and so on.
Typicals
• <reqFile> is the file that is created when this process is used.
• keyFile key created with create ssl rsakey.
• fipsKeyName which was created in the Hardware Security Modules.
• <keyform> will be in PEM format.
Results
This creates a file in /nsconfig/ssl/ with the name provide for <reqFile>. This file will be utilized in the following tasks:
This file,<reqFile> is also used for such a task as:
• create ssl cert…
At this point the <reqFile> should be sent to the Certificate Authority of your choice for signing. The typical method of receiving the signed certificate will be by email or as stated by your Certificate Authority. Below will be the process of install the sign certificate and private key pair onto the NetScaler device.
Step 3
Creating a server certificate from the previous Certificate signed request. This process will create a certificate which you will name <certkeyName>.
In the NetScaler Configuration Utility, navigate to SSL Certificate > Certificate Management. In the right pane click the Create Certificate tab to create a private key.
Command
create ssl cert <certFile> <reqFile> <certType>
��������[-keyFile <input_filename>] [-keyform ( DER | PEM )]
�������� [-days <positive_integer>] [-certForm ( DER | PEM )]
�������� [-CAcert <input_filename>] [-CAcertForm ( DER | PEM )]
�������� [-CAkey <input_filename>] [-CAkeyForm ( DER | PEM )]
�������� [-CAserial <output_filename>]
Typicals
• <certFile> the name of the certificate that best describes this certificate.
• <reqFile> - the name of the signed certificate that was received from the CA. This file should reside on the /nsconfig/ssl directory. You need to use file transfer practices to get the certificate to this location.
• <certType> - type of certificate to generate, for example, ROOT_CERT, SRVR_CERT, INTM_CERT, CLNT_CERT.
• keyFile – the key file created in Step 1.
• keyform – format used in Step 1.
• days - which was created in the Hardware Securty Modules.
• CAcert – the CA root certificate that is used to sign the certificate.
• CAcertForm– format used in when creating the CA Root.
• CAkey - the key file created in Step 1.
• CAkeyform – format used in Step 1.
• CAserial – the serial number file.
Results
This creates a file in /nsconfig/ssl/ with the name provide for <certFile>. This places a complete signed certificate on the system for installation.
Step 4
This step creates the certificate and key pair object. This step is required before binding a server certificate to a virtual server.
In the NetScaler Configuration Utility, navigate to SSL Certificate > Certificates. In the right pane click the Add Certificate tab to create a server/key pair.
Command
add ssl certkey <certkeyName> -cert <string> [(-key <string>[-password]) | -fipsKey <string>] [-inform
( DER | PEM )]
Typicals
• <certkeyName> the name of the certificate that best describes this certificate.
• cert - the name of the cert that was sent from the CA. This file should reside on the /nsconfig/ssl directory. You need to use file transfer practices to get the certificate to this location.
• fipsKey which was created in the Hardware Security Modules.
• inform will be in PEM format
Results
This creates a file in /nsconfig/ssl/ with the name provide for <certkeyName>. This places a complete signed certificate and key pair on the NetScaler for use.
This file,<certkeyName> is also used for such tasks as:
• bind ssl certkey
• link ssl certkey
• rm ssl certkey
• show ssl certkey
• unbind ssl certkey
• unlink ssl certkey
• update ssl certkey
More Information
Consult the NetScaler Administration guide for further information.
