Whilst you may be familiar with generating a CSR using IIS, it is also possible to generate a CSR using NetScaler and from there submit a certificate request to a public or internal CA using that CSR to generate a certificate.
I’ll take for granted that you know the IIS method. So here, I will show:
- Generating a private key and CSR on the NetScaler.
- Handing the CSR to a Certificate Authority, in my case internal Active Directory Certificate Services.
- Submitting a request for a certificate using the CSR.
- Saving the certificate from the CA and installing on NetScaler.
First we generate a private key (RSA Key). On NetScaler, navigate to Traffic Management -> SSL -> SSL Files -> Keys -> Create RSA Key.
Specify a name for the RSA Key. The key file will be stored on NetScaler within /nsconfig/ssl/. Specify a key size (max 4096), PEM format, DES3 encryption and a PEM passphrase. Click Create. Now navigate to Traffic Management -> SSL -> SSL Files -> CSRs -> Create Certificate Signing Request (CSR). Enter a name for the request file. Browse the appliance and choose the RSA Key you created under Key Filename. Enter the PEM Passphrase you choose during the RSA Key creation. Under Digest Method choose SHA256. Continue to the lower part of the creation screen. Enter a Common Name, Organization Name, State or Province, and Country. Other fields are optional. The Challenge Password field for example is not used by ADCS however may be used for additional authentication with third party CAs so they can challenge you for authentication. Click Create. Navigate to Traffic Management -> SSL -> Manage Certificates / Keys / CSRs. Find the CSR you just created and click View. Copy the CSR contents and place in a .TXT file. Now hand the CSR TXT file to your Certificate Authority. In my case, internal ADCS. So for example I can run the following command to request a certificate using the CSR we just created. I’ll then be prompted to save the issued certificate. The certificate has been successfully issued and saved to my network share. I can now upload this certificate to NetScaler. On NetScaler navigate to Traffic Management -> SSL -> Certificates -> Server Certificates -> Install. Enter a certificate-key pair name. Under Certificate File Name browse for the certificate issued by your CA. Under Certificate File Name browse for the RSA Key you created which still resides on the NetScaler. Enter the RSA Key password. Click Install. Now you have a certificate which you can use against Load Balanced vServers or NetScaler Gateway vServers etc.
Said
April 5, 2018Can you explain the certreq command what is the dc. for and what is the name of the file you gave it here?
George Spiers
April 5, 2018When you have a CSR, you need to present it to a Certificate Authority (CA) so that you can obtain a certificate. That is what I am doing with the certreq command. The dc.jgspiers.com piece is my Certificate Authority. So, I am requesting a certificate against dc.jgspiers.com, I’m asking the CA to use the StoreFrontTemplate certificate template and at the end of the command is my CSR file that I am presenting to the CA.