Generating a Subject Alternative Name (SAN) certificate on a Citrix NetScaler FIPS MPX

Subject Alternative Name (SAN) certificates can be very useful by containing multiple DNS or IPs that can be used to access a web server or device management portal.

On a Citrix NetScaler FIPS MPX appliance, the wizard to generate a Certificate Signing Request (CSR) does not support adding in the SAN attributes natively but there are two options to complete this.

*I’ve recorded a video demonstration of the full process and uploaded here:
*Supporting files can be downloaded here:

Option 1: Use OpenSSL from the NetScaler shell to generate an RSA private key and CSR file. Then import the RSA key into the FIPS HSM and install the signed BASE64 x.509 formatted certificate.

The blog by Steven Wright details most of the process for creating the CSR and installing on a non-FIPS appliance.  After following his steps you can then import the key and certificate file onto a FIPS appliance by following the steps below.


Import the RSA key to a FIPS key.

Verify that the key was imported successfully and is displayed under the FIPS keys tab.
Install the Server Certificate and select the FIPS key that was previously imported.

Check that the server certificate has been installed successfully.

Here is the SAN certificate successfully working on a NetScaler Gateway vServer

The certificate must be in the PEM (base64 x.509) format.  There are a set of OpenSSL commands that can be used to convert and check the certificates on the appliance from the shell.

Check the CSR:

> openssl req -text -noout -verify -in CSR.csr


Check a private key:

> openssl rsa -in privateKey.key -check


Check a certificate:

> openssl x509 -in certificate.crt -text -noout


Convert a DER file (.crt .cer .der) to PEM

> openssl x509 -inform der -in certificate.cer -out certificate.pem


Convert a PEM file to DER

> openssl x509 -outform der -in certificate.pem -out certificate.der


Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
*You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

> openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes


Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt



Option 2: Generate a CSR and key from a Windows system then export to PFX format containing the private key.  Run through the import process above to bring in the PKCS#12 certificate.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.