Subject Alternative Name (SAN) certificates can be very useful by containing multiple DNS or IPs that can be used to access a web server or device management portal.
On a Citrix NetScaler FIPS MPX appliance, the wizard to generate a Certificate Signing Request (CSR) does not support adding in the SAN attributes natively but there are two options to complete this.
*I’ve recorded a video demonstration of the full process and uploaded here: https://youtu.be/HXVuJY7PIPw
*Supporting files can be downloaded here: https://citrix.sharefile.com/d-s4b0ef6635c741069
Option 1: Use OpenSSL from the NetScaler shell to generate an RSA private key and CSR file. Then import the RSA key into the FIPS HSM and install the signed BASE64 x.509 formatted certificate.
The blog by Steven Wright details most of the process for creating the CSR and installing on a non-FIPS appliance. After following his steps you can then import the key and certificate file onto a FIPS appliance by following the steps below.
Import the RSA key to a FIPS key.
Verify that the key was imported successfully and is displayed under the FIPS keys tab.
Install the Server Certificate and select the FIPS key that was previously imported.
Check that the server certificate has been installed successfully.
Here is the SAN certificate successfully working on a NetScaler Gateway vServer
The certificate must be in the PEM (base64 x.509) format. There are a set of OpenSSL commands that can be used to convert and check the certificates on the appliance from the shell.
Check the CSR:
> openssl req -text -noout -verify -in CSR.csr
Check a private key:
> openssl rsa -in privateKey.key -check
Check a certificate:
> openssl x509 -in certificate.crt -text -noout
Convert a DER file (.crt .cer .der) to PEM
> openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
> openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
*You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
> openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Option 2: Generate a CSR and key from a Windows system then export to PFX format containing the private key. Run through the import process above to bring in the PKCS#12 certificate.