Jump to content
Welcome to our new Citrix community!

Create Certificate Signing Request (CSR) - Netscaler 13.0


Bit-101

Recommended Posts

 

Create a "Certificate Signing Request (CSR)" 

-But it fails for some reason

 

Here´s how Im doing it:

In Netscaler GUI

 

1. SSL files

-Keys:

1.2 Generate RSA key

-labtest.key

1.3 CSR - Create Certificate Signing Request (CSR)

-Create Certificate Signing Request (CSR)

1.4 Request Filename
labtest.csr

1.5 Key Filename:

-labtest.key

1.6 Pem

Subject alternative name

-DNS:www.labtest.local DNS:labtest.local

 

Create>

 

2. Nothing happens Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc

 

3. Troubleshotting

Have set up a root Windows  Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates

-nothing except all web servers

Failed request

-nothing there

Event log Root CA server

-nothing there

 

4. I assume that a signed labtest certificate should show up in Netscaler?

Something like www.labtest.local.crt

 

But there is nothing there under the tab Certificates

 

What could possible be wrong?

 

Really apreciate your answer

?

 

Link to comment
Share on other sites

Generate the CSR. Send the CSR to a Certificate Authority so it can be signed. After you receive the signed certificate, go to Traffic Management > SSL > Certificates > Server Certificates and click Add. Browse to the key file and browse to the signed certificate file. Give the certificate a name. Now you can bind the certificate to Virtual Servers.

Link to comment
Share on other sites

Ok, its a LAB

And I have installed the ADCS (Active Directory Certificate Services) on one server - labserver-02 
So Im´ trying to save (download) the labtest.csr in Netscalr and then go to certutil manager and Submit Request on labserver-02 by pointing to that labtest.csr.

The problem is that´s not possible, the only option is to submit a new request. And the error message displays as screenshot.

I´m CA Administrator. In other word I have the PKI environment.

And it works for both clients and servers but not with Netscaler.

(Distribute certificates by GPO)

.submit_request.thumb.JPG.3dff96182617f6ce2ac968f51389c9aa.JPG

 

Ps. Do you think of a external SSL supplier like sslforfree.com or something like that?

?

Edited by Bit-101
Link to comment
Share on other sites

Update: I´ve Googled the error:
 

This error message typically indicates that the certificate request does not contain information about which certificate template to use when issuing the certificate. The certificate template is a pre-defined set of attributes that determines the type and properties of the certificate.

To resolve this error, you need to ensure that the certificate request includes information about the certificate template. You can do this by either selecting a certificate template when creating the certificate request or by adding the Certificate Template extension to the certificate request.

 

-I´ts not possible to that in Netscaler?

-I hope I´m wrong?

-But if someone sees the possiblities to do this request in Netscaler I´m happy if you could share your knowledge.

 

This is the only avilible options in Netscaler 13.0 as far I can see:
 

1. SSL files

-Keys:

1.2 Generate RSA key

-labtest.key

1.3 CSR - Create Certificate Signing Request (CSR)

-Create Certificate Signing Request (CSR)

1.4 Request Filename
labtest.csr

1.5 Key Filename:

-labtest.key

1.6 Pem

Subject alternative name

-DNS:www.labtest.local DNS:labtest.local

 

Create>

 

2. Nothing happens Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc

 

3. Troubleshotting

Have set up a root Windows  Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates

-nothing except all web servers

Failed request

-nothing there

Event log Root CA server

-nothing there

 

 

?

Link to comment
Share on other sites

You seem to be looking in the wrong part of the GUI for what you expect to happen. If I'm interpreting this right.

 

You need three things in your certification creation process:

1) a private key

2) a certificate signing request (csr)

3) the final certificate file.

 

Regardless of whether you use the netscaler gui tools, openssl, or any other system, the end result is that you will get the private key and the certificate file (or equivalent entities on the netscaler). Examples:  two separate files (key and cert), a single file (.cer) that contains both key and cert in one file, a pfx that is the key/cert bundle.

 

With these files you will then create certkey object on the cli (litterally the certificate/key pair). The cli object "certkey" is a pointer to the files on the file system.

If you are looking under the SSL Certificates section of the GUI and then in the left hand menu under the nodes: all certs, server certs, root certs... etc you are only seeing the certkeys not the files on the file system itself.

 

Files that you create using the built in tools in the GUI/cli are located in /nsconfig/ssl/ by default (if no paths are specified).

In the GUI, this is visible by going to the SSL node and then in the right pane go to "Manage Certificates" and you View/Download the contents of the /nsconfig/ssl cert directory.

You should see any key files, csr files,and cert files you created on this system. If you are specifying a path when creating the files, they now go elsewhere and that chagnes things.

 

So provide a screenshot of where you are looking to confirm.

But even if you are in wrong part of GUI, go to /nsconfig/ssl via SSH to see files.

 

Next:

If using the GUI wizard:

1) Create key file.

2) Create csr file. Gui wizard is just basic settings here.

3) Either download the .csr and submit to your domain CA or other root authority to sign.  OR you will use a root cert on the adc to sign; however usually this is a self signed cert by the ADC's built in authority which would not be trusted, but would be fine in this step. If you properly setup a root cert on the ADC, you might be able to use it as a delegated authority, but that is uncommon.

The Create Certificate step of the wizard is where you genereate the .cer file.

 

4) You now need to do the "install certificate" step OR go to the SSL >> ALL Certificates node and create the CERTKEY.

The certkey is the cli object which is then a pointer to the key and cert files.

The certkey is what you see under the SSL > submenus. And then you can bind to things.

add ssl certkey <certkeyname> -cert <certfilename.cer> -key <keyfilename> -password

 

 

 

 

 

 

Link to comment
Share on other sites

@Rhonda Rowland 

@Carl Stalhood
Thanks for your engagement!

A question like this usually doesn't get any answers

 

@Rhonda Rowland:
Yes I now and trying to understand what you saying.
Forget everything about bind certificate to virtual server.

 

Now I only want to creat a SSL cert for labtest.local

I think we need to reach a consensus on approach to "Create Certificate Signing Request (CSR)"

I hope some screenshots will give a better picture of this process.

 

Here is what I´m doing and what I see:
 

1. SSL files

1.2 Generate RSA key

-labtest.key

image1.thumb.JPG.83caf786cf97ccd4d43dc5bf21e5816c.JPG

 

1.3 CSR - Create Certificate Signing Request (CSR)

-Create Certificate Signing Request (CSR)

image2.thumb.JPG.2acf35aabece469145adfe5f6fe36ec0.JPG

1.4 Request Filename
labtest.csr

1.5 Key Filename:

-labtest.key

1.6 Pem

Subject alternative name

-DNS:www.labtest.local DNS:labtest.local

image4.thumb.JPG.19d53172e5863b30f513de726b048e92.JPG

 

Create>

 

2. Nothing happens
Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc
Expect sto see something here:

image45JPG.thumb.JPG.3bf714f0f88d611927638d12a4f8b78e.JPG

 

3. Troubleshotting

Have set up a root Windows  Server with ADCS (Root CA)
Login to Root CA
-Have a look in
Issued certificates

-nothing except all web servers

Failed request

-nothing there

Event log Root CA server

-nothing there

 

On my ADCS server (Root CA)

The only option that is avialible is "Submit new request", but anyway I try this way (although it is not what I expect to do)

Then I recieve the error - se below:
image.png.e2f16c34b51dd8b3c240e0c892728aad.png

image7.thumb.JPG.18d321f205fe4bd54bb901f201c7c4a7.JPG

image.thumb.png.58dc99d8c69175434be4d4c04aa54d32.png

image.thumb.png.5df7a265c49768f003051d7261562ab9.png

 

-The question is,  how do I get to that state where I have a labtes.local.pfx with private key or onother .extension certificate so I move on?

 

Note: It works like a charm to enroll (distribute) client and server certificate for my windows client and window servers with GPO.

 

 

I hope this clears up how I'm doing it, so you can see what's wrong.

 

?

 

 

 

 

 

Link to comment
Share on other sites

Are you creating the certs in Citrix ADM or the Citrix ADC/NetScaler console?

And which firmware are you on?

 

Go to your Citrix ADC (not adm)

SSL node.

In the righ-pane, click "Server Certificate Wizard".

Create your private key, cert req, cert, and install certkey steps here in steps 1-4.  If you already have steps 1-2 done, you can do step 3.

 

IF this still doesn't work, we'll just switch to the command line to create the certkey.

 

If you have an existing .pfx, you can upload that via the manager certs link (don't use the import pkcs12 as that will upload and convert). 

Just upload via the gui or sftp to /nsconfig/ssl and you can create a certkey where the key and file point to the .pfx.

 

Regarding your above procedure:

 

3 hours ago, Peter Fällman said:

2. Nothing happens
Looking under the Certificates tab in Netscaler -nothing there except ns-root-cert etc
Expect sto see something here:

 

The end of step 1 generates a .csr which would be in the .csr tab. You haven't created the CERT yet.

End of step 1 is your .csr.

You then use the .csr to generate the cert.

 

But use the wizard I pointed you to, should do all things. But confirm your build version to make sure.

Link to comment
Share on other sites

Hi Bit-101

 

Don't wish to tread on Rhonda and Carls' toes, but are you more comfortable using Windows IIS to generate SSL certs? if yes, then create the CSR on IIS, get it signed, and import it back into IIS to marry it to the private key, then export it as a pfx file but don't tick 'include all certs...' during the export.

You'll need the intermediate and possibly the root certs for your CA so import those separately into the ADC.

You can use the IIS Server that was installed during your StoreFront installation to do this.

 

Once you have the pfx file, import it into the ADC using the "import PKCS#12' link, give it a name different to the actual pfx file as it imports the pfx and converts it to PEM format on the fly and saves that to the same location and you can't have two files with the same name. You'll need the password you used to export the pfx file in the first place.

 

Once it's imported, you'll need to install it as a certificate in the "Server Certificates" section. (I know, importing the PKCS#12 into the NetScaler is not the same and installing it in the 'Server Certificates' section) You'll be prompted for both the certificate and key file. As both are in the same PEM file, you just select the same file both times.

you'll also need to add the intermediate (and possibly root) certificates into the 'CA Certificates' section. then link them all together.

 

You can then add the server certificate into whatever feature you want (e.g. Citrix Gateway vServer, Load Balancing vServer, Content Switching vServer, etc)

 

I find it easier and quicker using IIS for the generating my CSR files...

 

Important Note: if you're using your own Enterprise CA for signing certificates, you must enable the CA to issue SAN certificates (https://www.vkernel.ro/blog/configure-internal-windows-ca-to-issue-san-certificates) and then add the SAN option into the request (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/add-san-to-secure-ldap-certificate). The second link is for an LDAP cert but the principle is the same. If your certificate doesn't have a SAN entry then Chrome/Edge/etc will regard it as untrusted.

 

Regards

 

Ken Z

 

Link to comment
Share on other sites

Just had a proper read of the learn.microsoft.com article and its  instructions on how to request a SAN certificate using certreq.exe isn't the best...

 

do the following once you have the csr file...

 

certreq.exe -submit -attrib "SAN:DNS=server.domain.com" -attrib "CertificateTemplate:WebServer" 

 

This assumes that you've published the CA template as "WebServer". also replace 'server.domain.com' with your FQDN name. If you're getting a wildcard signed, then use the following

 

"SAN:DNS=*.domain.com&DNS=domain.com" where domain.com is your DNS suffix you're using for the certificate

 

You'll also see popup boxes appear asking for the CSR, CA, etc

 

regards

 

Ken Z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...