Jump to content
Welcome to our new Citrix community!

sslcertreq is accepting subjectaltname, but when certificate is created, there are no SANs (Nitro API via PowerShell)


Jeremy Benway

Recommended Posts

I am attempting to create CSR requests and generate certificates from them via PowerShell. I am able to create the KEY file, CSR, & CER without issue, but when I check the certificate file for the subject alternative names I gave it, the subject alternative name field isn't even listed in the certificate details. Not sure if I am passing it incorrectly. Please advise how to make this work! 
 

PowerShell looks like:

$hashtablePayload = @{}
$hashtablePayload.'sslcertreq' = @{'reqfile' = $csrName; 'keyfile' = $keyName; 'commonname' = $commonName; 'organizationname' = $organization; 'organizationunitname' = $organizationalUnit; 'countryname' = $country; 'statename' = $state; 'localityname' = $location; 'digestmethod' = 'SHA256'}
$hashtablePayload.'sslcertreq'.'subjectaltname' = @{'DNS.1' = $commonName; 'DNS.2' = $alt2; 'DNS.3' = $alt3}
$jsonPayload = ConvertTo-Json -InputObject $hashtablePayload -Depth 100

JSON Payload looks like:
"sslcertreq":  {
                   "localityname":  "cityname",
                   "organizationunitname":  "ouname",
                   "reqfile":  "example.csr",
                   "countryname":  "US",
                   "organizationname":  "orgname",
                   "keyfile":  "example.key",
                   "subjectaltname":  {
                                          "DNS.3":  "alt3.domain.com",
                                          "DNS.1":  "example.domain.com",
                                          "DNS.2":  "alt2.domain.com"
                                      },
                   "commonname":  "example.domain.com",
                   "statename":  "state",
                   "digestmethod":  "SHA256"
               }

 

Missing Subject Alternative Name Field.png

Link to comment
Share on other sites

1 hour ago, Carl Stalhood1709151912 said:

I think only the latest build 71 of 13.0 shows subject Alternative Names.

https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslcertreq/#sslcertreq

The Nitro API documentation for 12.0 shows it as a property that can be used, and when we create a csr/cert request on the Netscaler via CLI using the openssl commands, it creates the cert with SANs as expected. Any thoughts?

Link to comment
Share on other sites

2 minutes ago, Carl Stalhood1709151912 said:

Most CAs will ignore any SANs you put in the CSR and instead require you to type in the SANs when requesting the CA to sign your CSR. What is your CA?

Using a Windows Intermediate as the signing CA. If we create the CSR via openssl command, copy it local and run certreq via CMD, it gives us a certificate with SANs. However when I create the CSR via Nitro API with the payload above, copy it local and run certreq cia CMD, it has no SANs

Link to comment
Share on other sites

Are you able to decode the CSR that ADC generated and see if it includes your SANs?

 

If you have openssl, then you don't need to use ADC to generate your keys and CSRs. You can easily do it using local openssl and then upload them when the cert is signed. All ADC does is use the openssl it has in its BSD shell.

Link to comment
Share on other sites

4 minutes ago, Carl Stalhood1709151912 said:

Are you able to decode the CSR that ADC generated and see if it includes your SANs?

 

If you have openssl, then you don't need to use ADC to generate your keys and CSRs. You can easily do it using local openssl and then upload them when the cert is signed. All ADC does is use the openssl it has in its BSD shell.

When decoded using the DigiCert decoder, the ADC generated CSR does not have SANs populated. We do not have openssl installed locally and ran into several issues automating the system to use openssl remotely which is why we're leveraging the ADC/Nitro API. 

 

Is the format of the payload being sent to populate SANs in the CSR correct?

Link to comment
Share on other sites

The Nitro API documentation says "string" not array or object. Try something like this:

 

"DNS:*.example.com DNS:www.example.org DNS:www.example.net"

 

https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#support-for-subject-alternative-name-in-a-certificate-signing-request

 

 

  • Like 2
Link to comment
Share on other sites

3 minutes ago, Carl Stalhood1709151912 said:

The Nitro API documentation says "string" not array or object. Try something like this:

 

"DNS:*.example.com DNS:www.example.org DNS:www.example.net"

 

https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#support-for-subject-alternative-name-in-a-certificate-signing-request

 

 

Passing it as a string did the trick! Thanks Carl, you've done it again! :5_smiley:

Link to comment
Share on other sites

2 hours ago, Carl Stalhood1709151912 said:

The Nitro API documentation says "string" not array or object. Try something like this:

 

"DNS:*.example.com DNS:www.example.org DNS:www.example.net"

 

https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#support-for-subject-alternative-name-in-a-certificate-signing-request

 

 

Carl, it seems when passing the request multiple SANs, and generating the certificate, it is creating the certificate with SANs, but appending them with a ";"

 

When using:
$hashtablePayload.'sslcertreq'.'subjectaltname' = @("DNS:$($commonName)", "DNS:$($alt2)", "DNS:$($alt3)")

It creates the following SANs in the certificate: 
DNS Name=example.domain.com;DNS:alt2.domain.com;DNS:alt3.domain.com

Instead of the expected:
DNS Name=example.domain.com
DNS Name=alt2.domain.com
DNS Name=alt3.domain.com

 

Link to comment
Share on other sites

$Script:alt_names = @"
DNS:$($commonName)
"@

foreach($altName in ($alt2,$alt3,$alt4,$alt5,$alt6,$alt7,$alt8,$alt9,$alt10)){

    if($altName){

        $Script:alt_names += " DNS:$($altName)"

    }

}

$hashtablePayload = @{}
$hashtablePayload.'sslcertreq' = @{'reqfile' = $csrFinalName; 'keyfile' = $keyFinalName; 'commonname' = $commonName; 'organizationname' = $organization; 'organizationunitname' = $organizationalUnit; 'countryname' = $country; 'statename' = $state; 'localityname' = $location; 'digestmethod' = 'SHA256'}
    
$hashtablePayload.'sslcertreq'.'subjectaltname' = $alt_names

$jsonPayload = ConvertTo-Json -InputObject $hashtablePayload -Depth 100

This payload allows you to generate a CSR with multiple Subject Alternative Names once the certificate is generated.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...