How to Create a Key and CSR for SHA-256 SAN Certificate Using NetScaler

How to Create a Key and CSR for SHA-256 SAN Certificate Using NetScaler

book

Article ID: CTX208389

calendar_today

Updated On:

Description

This article describes how to create a key and CSR for SHA-256 SAN certificate using NetScaler CLI.

Instructions

Complete the following steps to create a key and CSR for SHA-256 SAN certificate using NetScaler CLI:

  1. Create an RSA key on NetScaler with a key size of 2048 bits.
  2. Copy the following req.conf file. Edit the req.conf file before uploading it to NetScaler. In the highlighted field, define the key size, the name of the key created earlier and under the "alt_names" field mention the domain names: 
    [ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
req_extensions     = req_ext # The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName           = Country Name (2 letter code)
countryName_default   = US
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Illinois
localityName          = Locality Name (eg, city)
localityName_default  = Chicago
organizationName          = Organization Name (eg, company)
organizationName_default  = Example, Co.
commonName            = Common Name (eg, YOUR name)
commonName_max        = 64
 
[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1   = test.domain.com
DNS.2   = other.domain.com
DNS.3   = www.domain.net
  3. Create a directory under /nsconfig/ssl/<Directory Name> and then upload the req.conf file to this location.
  4.  Navigate to the directory created and run the openssl command to create the CSR.  
    root@ns# cd /nsconfig/ssl/<Name of the Directory>
root@ns# ls
req.conf

    The following an example showing how to generate an SAN CSR using openssl:

    root@ns# openssl req -new -nodes -out mysan.csr​ -config req.conf
Generating a 2048 bit RSA private key
...................................................................................+++
......................................................................................................................+++
writing new private key to 'new-san.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [Illinois]:KARNATAKA
Locality Name (eg, city) [Chicago]:BANGALORE
Organization Name (eg, company) [Example, Co.]:CITRIX
Common Name (eg, YOUR name) []:*san.com
root@ns# ls
mysan.csr       new-san.pem      req.conf

    To verify the certificate, visit http://www.sslshopper.com/csr-decoder.html

  5. After you receive the certificate, you will need to install it using either the CLI or the GUI.
  6. Follow the following CTX article explains how to install the Certificate using the CLI or GUI https://support.citrix.com/article/CTX114146



 

Issue/Introduction

This article describes how to create a key and CSR for SHA-256 SAN certificate using NetScaler CLI.
Powered by Wolken Software