This article describes how to create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names.

Instructions

To create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names, complete the following procedure:

1. Create an OpenSSL configuration file (text file) on the local computer by editing the fields to the company requirements.

   Note 1: In the example used in this article the configuration file is req.conf.

   Note 2: req_extensions will put the subject alternative names in a CSR, whereas x509_extensions would be used when creating an actual certificate file.

   		[req]
   		distinguished_name = req_distinguished_name
   		req_extensions = v3_req
   		prompt = no
   		[req_distinguished_name]
   		C = US
   		ST = VA
   		L = SomeCity
   		O = MyCompany
   		OU = MyDivision
   		CN = www.company.com
   		[v3_req]
   		keyUsage = keyEncipherment, dataEncipherment
   		extendedKeyUsage = serverAuth
   		subjectAltName = @alt_names
   		[alt_names]
   		DNS.1 = www.company.com
   		DNS.2 = company.com
   		DNS.3 = www.company.net
   		DNS.4 = company.net
   	

   Make sure there are no whitespaces at the end of the lines.

2. Upload the file to the /nsconfig/ssl directory on the NetScaler appliance.
3. Logon to NetScaler command line interface as nsroot, switch to the shell prompt and navigate to ssl directory:
    

   		shell
   		cd /nsconfig/ssl
   	

4. Run the following commands to create the Certificate Signing Request (CSR) and a new Key file:
    

   		openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.key.temp -config req.conf
   	

5. Run the following command to verify the Certificate Signing Request:
    

   		openssl req -text -noout -verify -in company_san.csr
   

   Output:

   		Certificate Request:
   		Data:
   		Version: 0 (0x0)
   		Subject: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com
   		Subject Public Key Info:
   		Public Key Algorithm: rsaEncryption
   		RSA Public Key: (2048 bit)
   		Modulus (2048 bit):
   		…
   		Exponent: 65537 (0x10001)
   		Attributes:
   		Requested Extensions:
   		X509v3 Key Usage:
   		Key Encipherment, Data Encipherment
   		X509v3 Extended Key Usage:
   		TLS Web Server Authentication
   		X509v3 Subject Alternative Name:
   		DNS:www.company.net, DNS:company.com, DNS:company.net
   		Signature Algorithm: sha256WithRSAEncryption
   	

6. Run the following command to move the Key file into the correct format for use on NetScaler:
    

   		openssl rsa -in company_san.key.temp -out company_san.key
   	

7. Run the following command to remove the temporary Key file:
    

   		rm company_san.key.temp
   	

8. Download the Certificate Signing Request file company_san.csr and provide it to your certification authority of choice for signing.
9. Upload the certificate provided by the certification authority into the /nsconfig/ssl directory on the NetScaler appliance and install the certificate using the company_san.key file created in Step 6.

• https://www.citrix.com/blogs/2015/04/10/how-to-create-a-csr-for-a-san-certificate-on-netscaler/

• CTX135602 - How to Create a Self-Signed SAN Certificate Using OpenSSL on a NetScaler Appliance
  
  cli command for using passphrase  in CSR "create ssl certReq abcde -keyFile abcd.key -keyform PEM -PEMPassPhrase "********" -countryName IN -stateName asdf -organizationName sdvdsc -commonName dvcdsds -digestMethod SHA1