NetScaler: How to create a CSR and key file for a SAN certificate.

NetScaler Xenmobile

Working with a customer on a XenMobile Project and as the customer would like to use a SAN Certificate, I search a solution and share here after the detailed steps.

Here’s how you do it:

1. Create an OpenSSL configuration file on the local computer by editing the fields to the company requirements.
Note: In the example used in this article the configuration file is “req.conf”.
Note2: “req_extensions” will put the subject alternative names in a CSR whereas “x509_extensions” would be used when creating an actual certificate file.

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = GB
ST = London
L = London
O = Company
OU = IT
CN = mam.company.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = nsg.company.com
2. Upload the file to the /nsconfig/ssl directory on the NetScaler appliance. 

3. Logon to NetScaler command line interface as nsroot and switch to the shell prompt.

Run the following commands to create the Certificate Signing Request and a new Key file:
cd /nsconfig/ssl
openssl req -new -out company.com.csr -newkey rsa:2048 -nodes -sha256 -keyout company.com.key.temp -config req.conf 

Run the following command to verify the Certificate Signing Request:

openssl req -text -noout -verify -in company.com.csr

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=GB, ST=London, L=London, O=Company, OU=IT, CN=mam.company.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Modulus (2048 bit):

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions:

X509v3 Key Usage:

Key Encipherment, Data Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

DNS:nsg.company.com

Signature Algorithm: sha256WithRSAEncryption 
Run this command to move the Key file into the correct format for use on NetScaler:

openssl rsa -in company.com.key.temp -out company.com.key

rm company.com.key.temp

4. Download the Certificate Signing Request file “company.com.csr” and provide it to your certification authority of choice for signing.

5. Upload the certificate provided by the certification authority into the /nsconfig/ssl directory on the NetScaler appliance and install the certificate using the previously created “company.com.key” file.