NetScaler

Generating a Subject Alternative Name (SAN) certificate on a Citrix NetScaler FIPS MPX

Subject Alternative Name (SAN) certificates can be very useful by containing multiple DNS or IPs that can be used to access a web server or device management portal.

On a Citrix NetScaler FIPS MPX appliance, the wizard to generate a Certificate Signing Request (CSR) does not support adding in the SAN attributes natively but there are two options to complete this.

*I’ve recorded a video demonstration of the full process and uploaded here: https://youtu.be/HXVuJY7PIPw
*Supporting files can be downloaded here: https://citrix.sharefile.com/d-s4b0ef6635c741069

Option 1: Use OpenSSL from the NetScaler shell to generate an RSA private key and CSR file. Then import the RSA key into the FIPS HSM and install the signed BASE64 x.509 formatted certificate.

The blog by Steven Wright details most of the process for creating the CSR and installing on a non-FIPS appliance.  After following his steps you can then import the key and certificate file onto a FIPS appliance by following the steps below.

 

Import the RSA key to a FIPS key.
1

Verify that the key was imported successfully and is displayed under the FIPS keys tab.
2
Install the Server Certificate and select the FIPS key that was previously imported.
3

Check that the server certificate has been installed successfully.
4

Here is the SAN certificate successfully working on a NetScaler Gateway vServer
5

The certificate must be in the PEM (base64 x.509) format.  There are a set of OpenSSL commands that can be used to convert and check the certificates on the appliance from the shell.

Check the CSR:

> openssl req -text -noout -verify -in CSR.csr

 

Check a private key:

> openssl rsa -in privateKey.key -check

 

Check a certificate:

> openssl x509 -in certificate.crt -text -noout

 

Convert a DER file (.crt .cer .der) to PEM

> openssl x509 -inform der -in certificate.cer -out certificate.pem

 

Convert a PEM file to DER

> openssl x509 -outform der -in certificate.pem -out certificate.der

 

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
*You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

> openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

 

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 

 

Option 2: Generate a CSR and key from a Windows system then export to PFX format containing the private key.  Run through the import process above to bring in the PKCS#12 certificate.

 

 

Published by

Shane

Sr. Enterprise Architect @ Citrix Systems

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.