If you want to install a test certificate on Netscaler to use it with Netscaler gateway or storefront, use the below commands. You will still get certificate error warnings but your Netscaler gateway or storefront load-balanced URL will work. In the below commands, change company.lab to your domain name (like homelab.local). If you need a wildcard certificate, use the below commands as is. If you need a SAN certificate, replace * with the storefront VIP hostname or Netscaler gateway hostname, like nsgwy.company.lab or storefrontlb.company.lab.
The following are all the commands together with clean up ones commented out.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
#Create a Root CA cert
create ssl rsakey Sample01-root.key 2048 -exponent F4 -keyform PEM
create ssl certReq Sample01-root.csr -keyFile Sample01-root.key -keyform PEM -countryName US -stateName Florida -organizationName IT -commonName NS_ROOT_CA
create ssl cert Sample01-root.cer Sample01-root.csr ROOT_CERT -keyFile Sample01-root.key -keyform PEM -days 3650 -certForm PEM -CAcertForm PEM -CAkeyForm PEM
add ssl certKey Sample01-root -cert Sample01-root.cer -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
#Create the Server cert
create ssl rsakey Sample01.key 2048 -exponent F4 -keyform PEM
create ssl certReq Sample01.csr -keyFile Sample01.key -keyform PEM -commonName “*.company.lab” -countryName US -stateName Florida -organizationName IT
create ssl cert Sample01.cer Sample01.csr SRVR_CERT -keyform PEM -days 3650 -certForm PEM -CAcert Sample01-root.cer -CAcertForm PEM -CAkey Sample01-root.key -CAkeyForm PEM -CAserial CASerial
add ssl certKey Sample01 -cert Sample01.cer -key Sample01.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
#Link Server with CA cert
link ssl certKey Sample01 Sample01-root
#Convert the certificates to PFX
shell cat /nsconfig/ssl/Sample01.cer > /nsconfig/ssl/Sample01.tmp
shell cat /nsconfig/ssl/Sample01-root.cer >> /nsconfig/ssl/Sample01.tmp
convert pkcs12 /nsconfig/ssl/Sample01.pfx -password citrix123 -export -certFile /nsconfig/ssl/Sample01.tmp -keyFile /nsconfig/ssl/Sample01.key
shell rm /nsconfig/ssl/Sample01.tmp
##CleanUP
#rm ssl certKey Sample01
#rm ssl certKey Sample01-root
#shell rm /nsconfig/ssl/Sample01.* /nsconfig/ssl/Sample01-root.*
|
Updated:
The following are all the commands together with clean up ones commented out.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
#Create a Root CA cert
create ssl rsakey Sample01-root.key 2048 -exponent F4 -keyform PEM
create ssl certReq Sample01-root.csr -keyFile Sample01-root.key -keyform PEM -countryName US -stateName Florida -organizationName IT -commonName NS_ROOT_CA -digestMethod SHA256
create ssl cert Sample01-root.cer Sample01-root.csr ROOT_CERT -keyFile Sample01-root.key -keyform PEM -days 3650 -certForm PEM -CAcertForm PEM -CAkeyForm PEM
add ssl certKey Sample01-root -cert Sample01-root.cer -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
#Create the Server cert
create ssl rsakey Sample01.key 2048 -exponent F4 -keyform PEM
create ssl certReq Sample01.csr -keyFile Sample01.key -keyform PEM -commonName “*.company.lab” -countryName US -stateName Florida -organizationName IT -digestMethod SHA256 -subjectAltName “DNS:*.company.lab DNS:company.lab IP:10.11.12.13”
create ssl cert Sample01.cer Sample01.csr SRVR_CERT -keyform PEM -days 3650 -certForm PEM -CAcert Sample01-root.cer -CAcertForm PEM -CAkey Sample01-root.key -CAkeyForm PEM -CAserial CASerial -subjectAltName “DNS:*.company.lab DNS:company.lab IP:10.11.12.13”
add ssl certKey Sample01 -cert Sample01.cer -key Sample01.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
#Link Server with CA cert
link ssl certKey Sample01 Sample01-root
#Convert the certificates to PFX
shell cat /nsconfig/ssl/Sample01.cer > /nsconfig/ssl/Sample01.tmp
shell cat /nsconfig/ssl/Sample01-root.cer >> /nsconfig/ssl/Sample01.tmp
convert pkcs12 /nsconfig/ssl/Sample01.pfx -password citrix123 -export -certFile /nsconfig/ssl/Sample01.tmp -keyFile /nsconfig/ssl/Sample01.key
shell rm /nsconfig/ssl/Sample01.tmp
##Check the private key
shell openssl rsa -check -in /nsconfig/ssl/Sample01.key
##Check the new CSR
shell openssl req -text -noout -verify -in /nsconfig/ssl/Sample01.csr
##Check the new cert
shell openssl x509 -text -noout -in /nsconfig/ssl/Sample01.cer
##CleanUP
#rm ssl certKey Sample01
#rm ssl certKey Sample01-root
#shell rm /nsconfig/ssl/Sample01.* /nsconfig/ssl/Sample01-root.*
|
Source: CTX219297
If you want another certificate, change sample01 in above commands to sampe02 and generate new certificate.