Before I begin, I am aware that there is a Citrix KB article that provides a walkthrough of generating a CSR and installing a certificate on a NetScaler VPX 1000 appliance but after going through the guide a few times over the past year, I feel that certain steps could be explained with a bit more in depth so this blog post serves to fill in the gaps that I felt the KB had. Note that the following example are the settings used to generate a request for a certificate purchased from GoDaddy.
Create an RSA Key
Unlike what most of us Windows administrators are used to, we need to create an RSA key for the appliance prior to generating a CSR for the NetScaler appliance so begin by navigate to SSL –> SSL Keys click on Create RSA Key:
From with in the Create RSA Key window, fill in the following:
Key Filename: a logical name of your choosing.
Key Size (bits): depending on the issuer of the certificate you’ll be purchasing, it will be multiples of 1024. 2048 is the new standard of Windows Server 2008 and I believe GoDaddy does not issue any certificates below that key size so start with 2048.
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: Blank
PEM Passphrase: Blank
Verify Passphrase: Blank
Once the RSA key has been generated, you should be able to view it in Tools –> Manage Certificates / Keys / CSRs:
Create a CSR Request
With the RSA key generated, navigate to SSL –> SSL Certificates and click on Create CSR (Certificate Signing Request):
From within the Create CSR (Certificate Signing Request) window, fill in the following fields:
Request File Name: clicking on the browse button will bring you to the directory /nsconfig/ssl/ where you should name the CSR that you will be creating (i.e. CSR-to-send-to-GoDaddy).
Key File Name: select the RSA key that you generated in the step above.
Key Format: PEM
PEM Passphrase (For Encrypted Key): since the first step demonstrated does not include encrypting the PEM, leave this blank.
Common Name: this is the common name of the certificate (i.e. remote.domain.com)
City, Organization Name, Country, State or Province, Email Address, Organization Unit: fill in the appropriate information.
Challenge Password: password of your choice but make sure you document it as you’ll need it later.
Once the CSR has been created, you should be able to view it in Tools –> Manage Certificates / Keys / CSRs:
Retrieving the CSR Request
With the CSR created, the next step is to retrieve the CSR and submit to the issuing Certificate Authority. The 2 ways to you can use to retrieve the CSR are is:
NetScaler Configuration Console
You can also retrieve it via Tools –> Manage Certificates / Keys / CSRs:
… and using the Download feature:
Uploading Signed Response Server Certificate
I won’t bother including screenshots but uploading the response server certificate you receive from the CA can be done the same way as downloading it.
Installing Signed Response Server Certificate
Once you’ve uploaded the response server certificate you receive from the CA, proceed with navigating to SSL –> Certificates and clicking on the Install button:
The Install Certificate window will be displayed:
Fill in the fields as such:
Certificate-Key Pair Name: this is a logical name you provide and this name is the one you’ll choose when assigning the certificate (i.e. remote.domain.com).
Certificate File Name: click on the Browse (Appliance) button to bring up the .crt file you received from the CA and uploaded to the /nsconfig/ssl/ directory.
Private Key File Name: click on the Browse (Appliance) button and select the RSA key you generated in the first step.
Password: type in the Challenge Password you used when generating the CSR request.
Certificate Format: select PEM or DER depending on the format you used.
Notify When Expires: choose Enable or Disable.
Notification Period: enter a notification period if you choose to.
Proceed by clicking on the Install button:
Note that if you receive the following error:
Certificate with key size greater than RSA512 or DSA512 bits not supported
… it’s usually because you don’t have a proper license installed onto the NetScaler appliance because in trial mode, certificates greater than 512 bits is not supported.
You should see the following newly listed certificate once the key successfully installs:
There you have it. Now you can continue with assigning this certificate to a virtual server.