This article describes how to create a test wildcard certificate on Citrix ADC.

Background

A lot of times, we need to issue new/test certificates to validate and/or replicate configurations. Sometimes, the certificate creation process can be very time-consuming, it can require the engagement of other departments. As a workaround for this process and quickly obtain a new certificate, you can directly perform the certificate creation in the Citrix ADC.

---

Instructions

The following commands will create a root CA and a server certificate:

Create a Root CA certificate

#Create a new private key
create ssl rsakey Sample01-root.key 2048 -exponent F4 -keyform PEM
#Create the CSR
create ssl certReq Sample01-root.csr -keyFile Sample01-root.key -keyform PEM -countryName US -stateName Florida -organizationName IT -commonName NS_ROOT_CA -digestMethod SHA256
#Create the new certificate
create ssl cert Sample01-root.cer Sample01-root.csr ROOT_CERT -keyFile Sample01-root.key -keyform PEM -days 3650 -certForm PEM -CAcertForm PEM -CAkeyForm PEM
#Install the new root certificate
add ssl certKey Sample01-root -cert Sample01-root.cer -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO

Create a Wildcard Server certificate for *.company.lab

#Create a new private key
create ssl rsakey Sample01.key 2048 -exponent F4 -keyform PEM
#Check the new private key
#shell openssl rsa -check -in /nsconfig/ssl/Sample01.key
#Create the CSR
create ssl certReq Sample01.csr -keyFile Sample01.key -keyform PEM -commonName "*.company.lab" -countryName US -stateName Florida -organizationName IT -digestMethod SHA256 -subjectAltName "DNS:*.company.lab DNS:company.lab IP:10.11.12.13"
#Check the new CSR
#shell openssl req -text -noout -verify -in /nsconfig/ssl/Sample01.csr
#Create the new certificate
create ssl cert Sample01.cer Sample01.csr SRVR_CERT -keyform PEM -days 3650 -certForm PEM -CAcert Sample01-root.cer -CAcertForm PEM -CAkey Sample01-root.key -CAkeyForm PEM -CAserial CASerial -subjectAltName "DNS:*.company.lab DNS:company.lab IP:10.11.12.13"
#Check the new cert
#shell openssl x509 -text -noout -in /nsconfig/ssl/Sample01.cer
#Install the new wildcard certificate
add ssl certKey Sample01 -cert Sample01.cer -key Sample01.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO

Link the certificates

link ssl certKey Sample01 Sample01-root
At this point, you should have your Root CA and your Server certificates valid for 10 years (3650). The server certificate will be a wildcard for *.company.lab that you can use in the Citrix ADC or somewhere else.

Convert certificate to PFX format

If for some reason you need to convert the certificate to PFX format, for example, to use in StoreFront, you can execute the following commands:
shell cat /nsconfig/ssl/Sample01.cer > /nsconfig/ssl/Sample01.tmp
shell cat /nsconfig/ssl/Sample01-root.cer >> /nsconfig/ssl/Sample01.tmp
convert pkcs12 /nsconfig/ssl/Sample01.pfx -password citrix123 -export -certFile /nsconfig/ssl/Sample01.tmp -keyFile /nsconfig/ssl/Sample01.key
shell rm /nsconfig/ssl/Sample01.tmp

Delete created configuration

If for some reason you need delete the configuration that you just created, you can simple unbind the test certificate of your Virtual Servers and use the following commands
rm ssl certKey Sample01
rm ssl certKey Sample01-root
shell rm /nsconfig/ssl/Sample01.* /nsconfig/ssl/Sample01-root.*

All commands

The following are all the commands together with clean up ones commented out.
#Create a Root CA cert
create ssl rsakey Sample01-root.key 2048 -exponent F4 -keyform PEM
create ssl certReq Sample01-root.csr -keyFile Sample01-root.key -keyform PEM -countryName US -stateName Florida -organizationName IT -commonName NS_ROOT_CA -digestMethod SHA256
create ssl cert Sample01-root.cer Sample01-root.csr ROOT_CERT -keyFile Sample01-root.key -keyform PEM -days 3650 -certForm PEM -CAcertForm PEM -CAkeyForm PEM
add ssl certKey Sample01-root -cert Sample01-root.cer -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
#Create the Server cert
create ssl rsakey Sample01.key 2048 -exponent F4 -keyform PEM
create ssl certReq Sample01.csr -keyFile Sample01.key -keyform PEM -commonName "*.company.lab" -countryName US -stateName Florida -organizationName IT -digestMethod SHA256 -subjectAltName "DNS:*.company.lab DNS:company.lab IP:10.11.12.13"
create ssl cert Sample01.cer Sample01.csr SRVR_CERT -keyform PEM -days 3650 -certForm PEM -CAcert Sample01-root.cer -CAcertForm PEM -CAkey Sample01-root.key -CAkeyForm PEM -CAserial CASerial -subjectAltName "DNS:*.company.lab DNS:company.lab IP:10.11.12.13"
add ssl certKey Sample01 -cert Sample01.cer -key Sample01.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
#Link Server with CA cert
link ssl certKey Sample01 Sample01-root
#Convert the certificates to PFX
shell cat /nsconfig/ssl/Sample01.cer > /nsconfig/ssl/Sample01.tmp
shell cat /nsconfig/ssl/Sample01-root.cer >> /nsconfig/ssl/Sample01.tmp
convert pkcs12 /nsconfig/ssl/Sample01.pfx -password citrix123 -export -certFile /nsconfig/ssl/Sample01.tmp -keyFile /nsconfig/ssl/Sample01.key
shell rm /nsconfig/ssl/Sample01.tmp
##Check the private key
shell openssl rsa -check -in /nsconfig/ssl/Sample01.key
##Check the new CSR
shell openssl req -text -noout -verify -in /nsconfig/ssl/Sample01.csr
##Check the new cert
shell openssl x509 -text -noout -in /nsconfig/ssl/Sample01.cer
##CleanUP
#rm ssl certKey Sample01
#rm ssl certKey Sample01-root
#shell rm /nsconfig/ssl/Sample01.* /nsconfig/ssl/Sample01-root.*

This article describes how to create a test wildcard certificate on NetScaler.