This guide describes the process of generating and installing a complete SSL certificate chain for Citrix X12 LOM web interface for MPX/SDX 9100 and MPX/SDX 16000. 

Instructions

In this sample guide the certificate chain follows the hierarchy for the creation of new certificate: Root CA (CA2) → Intermediate CA (IntCA2) → Signing CA → LOM Certificate. 

LOM will accept PEM formatted certificate . 

Step-by-Step Certificate Generation:

STEP 1. Root CA (CA2) Generation

- Purpose: Creates the root certificate authority that serves as the trust anchor
- Key Details: 
  - 4096-bit RSA key
  - 10-year validity period
  - Self-signed certificate

- Run CLI:
    openssl genrsa -out ca2.key 4096
    openssl req -new -x509 -days 3650 -key ca2.key -out ca2.crt -sha256 \
    -subj "/C=US/ST=CA/L=Santa-Clara/O=Citrix/OU=Engineering/CN=Root-CA2"

- Files Generated:
  - ca2.key: Root CA private key
  - ca2.crt: Root CA certificate

STEP 2. Intermediate CA (IntCA2) Generation

- Purpose: Creates an intermediate certificate authority signed by the root CA
- Key Details:
  - 4096-bit RSA key
  - 5-year validity period
  - Signed by Root CA
  - Path Length constraint of 1 (can only sign one level of CA below it)

- Run CLI:
    openssl genrsa -out intca2.key 4096
    openssl req -new -key intca2.key -out intca2.csr -sha256 \
    -subj "/C=US/ST=CA/L=Santa-Clara/O=Citrix/OU=Engineering/CN=Intermediate-CA2"
    openssl x509 -req -days 1825 -in intca2.csr -CA ca2.crt -CAkey ca2.key \
    -CAcreateserial -out intca2.crt -sha256 -extensions v3_ca \
    -extfile <(echo -e "[v3_ca]\nbasicConstraints=critical,CA:TRUE,pathlen:1\nkeyUsage=critical,keyCertSign,cRLSign")

- Files Generated:
  - intca2.key: Intermediate CA private key
  - intca2.crt: Intermediate CA certificate
  - intca2.csr: Certificate signing request

STEP 3. Signing CA Generation

- Purpose: Creates the signing authority specifically for LOM certificates
- Key Details:
  - 4096-bit RSA key
  - 2-year validity period
  - Signed by Intermediate CA
  - PathLength constraint of 0 (cannot sign other CAs)

- Run CLI:
    openssl genrsa -out signing_ca.key 4096
    openssl req -new -key signing_ca.key -out signing_ca.csr -sha256 \
    -subj "/C=US/ST=CA/L=Santa-Clara/O=Citrix/OU=Engineering/CN=Signing-CA"
    openssl x509 -req -days 730 -in signing_ca.csr -CA intca2.crt -CAkey intca2.key \
    -CAcreateserial -out signing_ca.crt -sha256 -extensions v3_ca \
    -extfile <(echo -e "[v3_ca]\nbasicConstraints=critical,CA:TRUE,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")

- Files Generated:
  - signing_ca.key: Signing CA private key
  - signing_ca.crt: Signing CA certificate
  - signing_ca.csr: Certificate signing request

STEP 4. LOM Certificate Generation

- Purpose: Creates the end-entity certificate for the LOM web interface
- Key Details:
  - 2048-bit RSA key
  - 1-year validity period
  - Signed by Signing CA
  - Includes serverAuth extended key usage

- Run CLI:
    openssl genrsa -out lom.key 2048
    openssl req -new -key lom.key -out lom.csr -sha256 \
    -subj "/C=US/ST=CA/L=Santa-Clara/O=Citrix/OU=Engineering/CN=lom.example.com"
    openssl x509 -req -days 365 -in lom.csr -CA signing_ca.crt -CAkey signing_ca.key \
    -CAcreateserial -out lom.crt -sha256 -extensions v3_req \
    -extfile <(echo -e "[v3_req]\nbasicConstraints=CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth")
    cat lom.crt signing_ca.crt intca2.crt ca2.crt > lom_chain.pem
    cat lom.crt lom.key > lom_cert_key.pem

- Files Generated:
  - lom.key: LOM private key
  - lom.crt: LOM certificate
  - lom.csr: Certificate signing request
  - lom_chain.pem: Complete certificate chain
  - lom_cert_key.pem: Combined certificate and private key

If incase you have a certificate already available and wanted to convert to PEM format, follow below. 

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem


Convert a key file to PEM
openssl rsa -inform DER -in mykey.key -out mykey.pem


Check a private key

openssl rsa -in privateKey.key -check

Check a certificate

openssl x509 -in certificate.crt -text -noout

SSL LOM Certification Installation Process

Preparing Certificate Files

a. Locate the generated certificate chain file (lom_chain.pem)

b. Locate the combined certificate and key file (lom_cert_key.pem)

Uploading to X12 LOM Web Interface

a. Log in to X12 LOM web interface (LOM ver. 3.11.0)

b. Navigate to Configuration > Network > SSL Certificates

c. Ensure system lockdown is "unlocked" from the host environment before uploading 'lom_chain.pem' as the certificate chain under "New SSL Certificate"

d. Upload 'lom_cert_key.pem' as the private key file under "New Private Key"

e. Click "Upload" button to apply the new certificates

f. Wait for the LOM web interface to restart.

g. After the new SLL certificate and private key uploaded successfully, system or LOM firmware lockdown will be turned on by default. 

Here is an example screenshot of LOM version 3.11.0 with the new LOM certificate chain and private key applied. Users will notice that the certificate validity period ("Valid from" / "Valid until") has been updated to reflect the new certificate.

Users can verify the complete certificate chain via the LOM web interface.

If incase any issues observed and certificate not got installed, You can do the below steps and test again.

Before applying the new Root CA2 certificate chain again,  reset the SSL configuration to factory defaults using the command below from the host shell prompt::

 $ ipmitool raw 0x30 0x68 0x00 0x00
Wait for 2 minutes, then unlock the system lockdown:
 $ ipmicfg133.bsd -lockdown off

After that, upload the new certificate and private key again via the LOM GUI.

NetScaler LOM certificate update proceedure for MPX/SDX 9100 and MPX/SDX 16000