Home » certificates

Tag: certificates

Citrix NetScaler Certificates – Certificate Linking

Sometimes there can be some certificates that exist between the newly created NetScaler cert and the Root CA Certificate. These certificates ‘in the middle’ are known as intermediary or subordinate certificates and form a link or ‘chain’ between the root CA certificate and our newly created NetScaler certificate.

For example:

When some operating systems don’t have the full chain of intermediary certificates installed (and trusted) they will display a ‘certificate invalid’ message even when the certificate itself is valid. This is because the operating system is unable to verify your server certificate all the way up the certificate chain to the root certificate. These certificates can be installed and provide to the end users to greater enhance the user’s ability to connect to the NetScalers regardless of their endpoint or client device.

Step Description Screenshot
1 Example: Connecting to a service or VIP on the NetScaler interface where we have bound the new Certificate shows an error in Chrome on Mac OSX

Note: This will vary between operating system and between CA certificate providers
2 Log into the NetScaler web interface

http://192.168.1.50
 3 Expand SSL > SSL Files

Click SSL > Certificates > CA Certificates

Click Install
 4 Upload the bundled certificate from your 3rd party CA

Click Install
 5 Expand SSL > SSL Files

Click SSL > Certificates > Server Certificates

Tick your newly created server certificate

Select Action – ‘Link’
6 Select the CA Certificate uploaded in step 3

Tip: The NetScaler will automatically select the correct / valid certificate (if it is installed correctly and exists)
 7 Repeat this step for every certificate in the certificate chain including the root certificate

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Citrix NetScaler Certificates – Submit to 3rd Party CA

Submitting the CSR to a 3rd party CA – Comodo Free SSL

We now need to take our CSR created in the previous section and submit that to a 3rd Party Certificate Authority or CA to verify our CSR and provide us with a certificate response we can combine with our CSR and generate the SSL certificate. For the purposes of this demonstration we will use Comodo as our 3rd Party CA, however there are many vendors you can choose from some are free (with restictions) others you must pay for your certificate(s).

Step Description Screenshot
 1 First we need to download our CSR for easy access from the NetScaler

Expand Traffic Management > SSL > SSL Files > CSRs tab

Tick the newly created .csr file and click Download
 2 We are going to browse to comodo and apply for a FREE SSL Certificate https://ssl.comodo.com/free-ssl-certificate.php
 3 Click the big Free Trial SSL button
4 Open the downloaded CSR file from step 1 and copy and paste the entire contents into the Comodo SSL site

Select Citrix as the Server software

Click Next
5 Comodo will then perform a domain ownership verification

In the example shown to keep it simple I will select the registered email address for jsconsulting.services from (WHOIS)
6 Enter your details for registration of the Certificate and for access to the COMODO SSL Site

7 Read the terms thoroughly and Accept if you are ready to continue
 8 Validate the email sent to your WHOIS registered email

 9 Download the CSR Files as a zip

 

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Signup below to receive a free 200 page Citrix NetScaler Introduction guide!

[mc4wp_form id=”2763″]

Citrix NetScaler Certificates – Install your CA Response Cert

We will now take the Certificate response file (CRT file) from our 3rd party Certificate Authority (CA) and install it onto the NetScaler device, then using both the CRT and Private key to combine and finally create a fully functional NetScaler certificate.

Step Description Screenshot
 1 Expand Traffic Management > SSL > SSL Files

Click Upload
2 Browse for your Certificate file (provided by your 3rd Party CA)

Click Open

Note: The file is uploaded to the NetScaler but not yet usable!
3 Browse to Traffic Management > SSL > Server Certificates

Click Install
4 Give the new ‘Server Certificate’ a unique easily identifiable name

Certificate File: Choose the Certificate you just uploaded in step 2

Key File Name: select your private key file that is on the NetScaler

Provide the private key password

Click Install
5 Your certificate is now installed and ready to be used on NetScaler services, VIPs, NetScaler gateway etc.

Citrix NetScaler Certficates – Creating a CSR Request

Step Description Screenshot
1 Log into the NetScaler web interface

http://192.168.1.50
2 Now that our private key has been created we need to create a Certificate Signing Request and sign it with our private key

Expand SSL > SSL Files

Click CSRs

Then click Create Certificate Signing Request (CSR)
3 In our example we will enter these details shown:

Then click Create

Request File name: gateway.jsconsulting.services.csr

Key Filename: gateway.jsconsulting.services.privatekey

Key Format: PEM

PEM Passphrase: <private key password here>

Digest Method: SHA256

Common Name: gateway.jsconsulting.services

Organisation Name: JS Consulting Services

Organisational Unit: Technologies

Email Address: <your email address>

City: London

State or Province: London

Country: UNITED KINGDOM
 4 CSR is created and signed with the private key all stored on the NetScaler in /nsconfig/ssl

Citrix NetScaler Certficates – Creating a Private RSA

Step Description Screenshot
 1 Log into the NetScaler web interface

http://192.168.1.50
 2 Expand traffic management

Right Click SSL

And select Enable Feature

Note: The yellow exclamation will disappear when the feature is enabled

Disabled

Enabled
3 Expand SSL > SSL Files > and click the button Create RSA Key
4 In this example we will enter the details shown:

Then click Create

 Key filename: gateway.jsconsulting.services.privatekey

Key Size(bits)*: 2048

Public Exponent Value: F4

Key Format: PEM

PEM Encoding Algorithm: DES3

PEM & Confirm Password: <mypassword>

Note: the larger the key size the more CPU will be used encrypting and decrypting the certificates

DES3 is simply DES applied 3 times (so in theory it’s more secure)
 5 Note: The private key should be downloaded and stored away from the NetScaler device (especially if the NetScaler is stored in a DMZ). This is in case the NetScaler device is compromised in any way. If your private keys are lost or compromised you would have to revoke your existing certificates and new certificates should be generated.