NetScaler: Generating Active Directory CA SSL SAN certificates for NetScaler 11

 

A Subject Alternative Name (SAN) certificate is a certificate with multiple common names. i.e. one certificate that has multiple FQDNs.

These certificates will be used for NetScaler Gateway website.

I assume you have an AD CA configured and can generate certificates using the GUI (described method below). Also, you have already exported and uploaded your CA’s root certificate to the NetScaler.

Part 1: Generate SAN certificate using AD CA

Part 2: Configure & Install the certificate on the NetScaler.

Generate and sign the SAN certificate (in one go).

  1. Log on to your AD CA / load the certificate snap-in into a new MMC for the local computer.
  2. Drill down to Personal > Certificates.
  3. Right-click Certificates and select All Tasks > Request New Certificate…

  4. Click Next and Next.
  5. Tick your web server template.

  6. Click the little down arrow (˅), next to “Details” and click Properties button.
  7. On the Subject tab, in the “Subject Name” area, click the drop-down “Type”, select Common Name.
  8. In the value, enter the FQDN for one of the hosts this certificate will serve.
  9. Click Add >.
  10. Again, click the “Type” drown down and enter values for “Organisational Unit”, “Organisation”, Locality, Country and State, clicking Add
    > to move the value to the right. (Add /remove as required by your CA – This is essentially internal, so it won’t be as fussy as the likes of VeriSign).

  1. Now for the Subject alternative names. In the “Alternative name” area, click the “Type” drop-down and select DNS.
  2. In the “Value” field, enter exactly
    the same value you gave for the common name (step 8).

    If this differs, it won’t work.

  3. Now enter the alternative names you wish this certificate to secure.

    The finished dialogue should look something like this:

    I have also added IP addresses, including a public one. This certificate won’t be used for production, but it will help in testing before I generate the real certificate from a public CA such as VeriSign or GoDaddy.

  4. Click the General tab and enter a friendly name (gateway.arcotek.ltd.uk_SAN) and optionally a description.

    My website template is set up in a way that I don’t need to worry about anything on the extensions tab. Needless to say, the key usage is Digital Signature and Key Encipherment and extended Key usage of Sever Authentication. I’ve never had to worry about any of the other settings.

  5. Click the Private Key tab.
  6. Click the little down arrow (˅), for “Key Options” and make sure “Make private key exportable” is ticked.
  7. If the template allows, set the key size (nothing less than 2048).

    Again, I haven’t had to worry about any other setting. The template was a copy of the built in Web Server one that comes with an AD CA.

  8. Click OK.
  9. Click Enrol.
  10. If all is well, the certificate will have been created successfully. Click Finish.

The certificate should be in your computer’s personal store. In my example, the certificate is listed with its friendly name of gateway.arcotek.ltd.uk_SAN.

To check the SAN info is correct:

  1. Double-click the certificate.
  2. Click the Details tab.
  3. Scroll down to and click “Subject Alternative Name”.

    The example shows the correct SANs.

    It’s also worth checking the Certificate Path is chained correctly:

  1. Export the certificate (with private key):
    1. Right-click on the certificate and choose All Tasks > Export…
    2. Click Next.
    3. Select “Yes, export the private key”.
    4. Click Next.
    5. Select “Personal Information Exchange PKCS #12 (.PFX).”
    6. Tick “Include all certificates in the certificate chain if possible”.
    7. Tick “Export all extended properties”.
    8. Click Next.
    9. Tick “Password” and enter your password twice.
    10. Click Next.
    11. Save the certificate to disk with a meaningful name (e.g. FQDN).
    12. Click Next.
    13. Confirm your choices and click Finish.
    14. Click OK to “The export was successful” dialogue.
  2. Export the certificate again, (without the private key):
    1. Right-click on the certificate and choose All Tasks > Export…
    2. Click Next.
    3. Select “No, do not export the private key”.
    4. Click Next.
    5. Select “Base-64 encoded X.509 (.CER).
    6. Click Next.
    7. Save the certificate to disk with a meaningful name (e.g. FQDN).
    8. Click Next.
    9. Confirm your choices and click Finish.
    10. Click OK to “The export was successful” dialogue.

 

Next: Part 2: Configuring & Installing the certificate on the NetScaler.

Please feel free to leave a comment...