How to Generate SHA2 CSR on NetScaler Using OpenSSL
Article ID: CTX202383
Updated On:
Description
This article describes how to generate SHA2 Certificate Signing Request (CSR) on NetScaler using OpenSSL.
Background
Currently there is no option to create SHA2 CSR from NetScaler GUI however you can leverage the OpenSSL commands for creating SHA2 CSR from NetScaler.
Instructions
Complete the following steps to generate SHA2 CSR on NetScaler using OpenSSL:
-
Create a custom configuration file named openssl.cnf. The file can have the following entries. Modify the entries according to the requirement. You can create this file on NetScaler using the VI editor or any other editor.
[req] default_bits = 2048 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn [dn] CN = test.example.com OU = Test Certificate O = Test Company L = Test City ST = California C = US emailAddress = test@example.com
-
Upload the openssl.cnf file to the /nsconfig/ssl directory.
-
Log on to NetScaler using PuTTY.
-
Browse to the /nsconfig/ssl directory and execute the following command to create a Key and CSR:
root@ns# openssl req -out test.csr -config openssl.cnf -new -newkey rsa:2048 -nodes -keyout test.keyGenerating a 2048 bit RSA private key ......................................+++ ...............................................+++ writing new private key to 'test.key' -----
-
Use the following command to verify if the CSR created is SHA2:
root@ns# openssl req -text -noout -in test.csr | grep 'Signature Algorithm'Certificate Request: Data: Version: 0 (0x0) Subject: CN=link.rc.test.com, OU=TEST, O=DSI, L=Clichy, ST=Haut de Seine, C=Fr/emailAddress=bruce.wayne@test.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b9:2b:66:9a:fe:55:8e:da:ac:85:c6:67:94:6d: 88:34:6b:92:00:6b:0f:02:bc:40:20:9d:be:db:b1: 04:3b:b1:2e:79:6e:60:f6:9e:2d:c1:49:09:3b:6e: 9c:4e:f9:7f:17:ea:ed:99:b6:1b:15:44:ea:8b:e4: f1:87:32:8a:73:10:c1:6b:d7:c8:7f:1a:a6:83:ef: 1f:a8:38:82:0e:b2:f1:09:69:af:ee:e4:eb:ac:7f: cc:75:09:95:21:79:fe:0c:e3:e0:3e:c0:86:ee:fc: f3:c4:e2:1f:e2:ed:12:ee:94:b1:aa:d3:22:fb:70: bb:aa:55:84:50:28:82:2a:7f:e2:34:a7:9b:65:0c: 72:5e:41:42:b5:60:2b:63:67:82:aa:ae:79:c5:a0: bc:72:3e:14:18:37:ef:5e:69:fd:b8:53:d2:19:fa: f0:c6:bf:3a:b1:24:45:c9:e4:9c:58:f9:5c:3c:44: c0:c2:3e:b7:a3:ec:d2:a2:bc:a6:ae:b6:18:e7:fe: 33:67:06:c6:c9:5b:98:2c:87:45:ee:a6:ee:f5:6e: 25:6f:75:ba:bd:58:60:4c:b7:ae:c6:ed:03:3c:f6: 37:bc:2b:02:b4:9a:9e:02:d2:62:db:b2:b0:b1:df: a7:16:ae:df:19:fa:27:b9:47:ec:56:fa:81:84:ae: fa:81 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 21:fd:2c:88:37:4d:5b:a2:bc:e0:90:dd:01:06:bc:30:54:91: 6e:cd:49:04:e3:d6:49:3c:85:d6:7d:15:bd:e7:a4:81:28:8d: 47:5f:df:12:7c:50:3e:b8:7d:6f:7e:3b:7f:bc:4a:a9:64:26: af:68:23:fa:84:81:cb:df:ec:fe:cb:32:d4:db:52:38:77:bd: ec:9d:59:d9:d0:f2:c4:4e:f5:9f:0b:b7:78:79:d9:00:11:1c: 49:36:c3:7e:92:c4:5c:e1:c1:d6:85:0c:44:55:68:0b:54:ea: de:bb:a1:b9:25:b8:de:5a:06:55:6e:86:eb:86:c2:67:c2:47: a2:5e:7d:6c:20:30:5a:8a:08:12:88:41:f6:54:48:ec:fa:6f: 55:c6:2f:cf:31:68:b5:5f:6a:a0:30:f3:c3:62:db:78:4a:53: a4:2a:67:9e:5a:6b:2c:a7:8a:05:36:6e:da:61:f8:93:c3:a0: 98:9c:4c:33:b6:a1:8d:85:6e:bb:08:ad:7f:56:69:ba:86:87: c2:8d:3c:85:aa:4f:d0:74:8f:6d:9f:e4:06:d0:7b:16:df:2c: 2e:18:9b:7f:f5:6c:4f:1e:e3:00:f8:49:8d:b4:5e:4b:cd:8b: 3b:6a:e6:a6:fa:e6:71:00:b9:ed:ed:9b:ef:91:e3:ab:a1:24: 2d:2a:41:bc
The preceding article helps you in generating the CSR by creating a new key. However, if you want to use an existing key, then use the following command:
openssl req -out csr.csr -key /nsconfig/ssl/existing_key.key -new -sha256 -config /etc/nsssl.conf
Issue/Introduction
Additional Information
Alternatively you can run the following command from the shell to generate SHA2 CSR:
#openssl req -config /etc/nsssl.conf -newkey rsa:2048 -sha256 -nodes -out test.csr -outform PEM
The "nsssl.conf" file is a NetScaler OpenSSL configuration file.
Run the following command to confirm the SHA algorithm used:
#openssl req -text -noout -verify -in test.csr
