This article describes how to create a self-signed SAN certificate with multiple subject alternate names.

To create a self-signed SAN certificate with multiple subject alternate names, complete the following procedure:

1. Create an OpenSSL configuration file on the local computer by editing the fields to the company requirements.
   Note: In the example used in this article the configuration file is "req.conf".

   [req]
   distinguished_name = req_distinguished_name
   x509_extensions = v3_req
   prompt = no
   [req_distinguished_name]
   C = US
   ST = VA
   L = SomeCity
   O = MyCompany
   OU = MyDivision
   CN = www.company.com
   [v3_req]
   keyUsage = keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth
   subjectAltName = @alt_names
   [alt_names]
   DNS.1 = www.company.net
   DNS.2 = company.com
   DNS.3 = company.net

2. Upload the file to the /nsconfig/ssl directory on the NetScaler appliance.

3. Log on to NetScaler command line interface as nsroot and switch to the shell prompt.

4. Run the following command to create the certificate:

   cd /nsconfig/ssl
   openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout cert.pem -out cert.pem -config req.conf -extensions 'v3_req'
   

5. Run the following command to verify the certificate:

   openssl x509 -in cert.pem -noout –text
   Certificate:
   Data:
   Version: 3 (0x2)
   Serial Number:
   ed:90:c5:f0:61:78:25:ab
   Signature Algorithm: md5WithRSAEncryption
   Issuer: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com
   Validity
   Not Before: Nov 6 22:21:38 2012 GMT
   Not After : Nov 6 22:21:38 2014 GMT
   Subject: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com
   Subject Public Key Info:
   Public Key Algorithm: rsaEncryption
   RSA Public Key: (2048 bit)
   Modulus (2048 bit):
   …
   Exponent: 65537 (0x10001)
   X509v3 extensions:
   X509v3 Key Usage:
   Key Encipherment, Data Encipherment
   X509v3 Extended Key Usage:
   TLS Web Server Authentication
   X509v3 Subject Alternative Name:
   DNS:www.company.net, DNS:company.com, DNS:company.net
   Signature Algorithm: md5WithRSAEncryption …

You can associate this certificate to an SSL or Access Gateway Enterprise Edition virtual server and also import the certificate to the clients as a Trusted Root certificate. Below is the self signed certificate showing SAN names:

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.