RSS 

How To: Create a Certificate using Citrix NetScaler

In this AskSupport How To video you will learn how to Create a Certificate using Citrix NetScaler

Tags: technical support netscaler how to
Views: 4,855
Rating: 3

Transcript : Hi. My name is Ronan O’Brien, and I work in the Citrix Tech Support Readiness Team. Today I’m going to look at how to create a certificate on a NetScaler or Access Gateway Enterprise Edition appliance. So the first thing we’re going to do is go open our config utility. We can do everything, of course, in the CLI. That’s the Command Line Interface. But that’s not very interesting for you guys to watch, really, me typing in commands. So let’s do it here in the config utility. So the first thing I’m going to do, is I’m going to add what we call a Root CA, a Root Certificate Authority. So I’m going to call this My TestRoot-CA. This is an arbitrary name, just something I can type in that makes sense to me. This is what we’re going to see under the name field here, and it’s how we will refer to it when we go to any of the configurations. So I’m going to choose Browse here on the appliance. And for the certificate name, I’m just going to use this ns-root.cert. This should already be on the box by default. Okay? Just use existing ones. We could create our own, if we wanted, but we want to try and keep this screencast as short as possible. Next thing I’m going to pick here, oops, is the root key. Now, if you’re sharp-eyed, you will see in here, when I click this little arrow, we have Local and Appliance. Okay? That basically means if I want to upload a certificate and key pair that I have on my workstation here. So, I choose Local, and then I can browse my desktop or my local file system here on my laptop. So, basically, that’s all we’re going to do here. My TestRoot-CA. Hit Install. And that’s it. Okay? So that’s our Root Certificate Authority. Now the next step we’re going to do is create our…create a key. Okay? So let’s come on here. There are some wizards that we can follow through the Certificate wizard here. It just pops open for a second, and this will step us through creating a key…a certificate signing request, a CSR. And then we create the certificate itself. And then we install it. Okay? So let’s just follow this. It’s nice and easy. So here we have the RSA, the key type is RSA. And we just give the key…the key file name. So anywhere we have a star here, this means that we…in the gooey, it means we have to type something in. It’s mandatory. So, the key file name I’m just going to call My Test.key. The key size, I’ll choose 1024. Why not? So, you see that there is a browse option here, but we don’t really want to browse, because this key is going to be created at this point. So I click Next. And then we have to create the CSR. Okay. So the request file name is going to be My Test.CSR. So, you see, I’m not going to bother doing a passphrase. If I wanted to, I could. And I give the common name. Okay? So what’s the common name? That’s basically the web site name. So let’s say it’s going to be www.mytestwebsite.com, for example. Okay? This is important that we get this right, if it’s for a production site. It has to match the DNS name that you give…that you assign to your Vserver or the DNS name that you’re load balancing. If this name doesn’t match it, you get one of those browser errors when you connect with SSL. So I’ll prov…apply to provide a state or a province name. Okay? So I’m here in Dublin, Ireland. An organization name. Citrix Tech Support, for example. Here we go. So, that’s our CS…that’s our certificate signing request. Now we have to choose the certificate name. So MyTest.cert, like so. And we have the MyTest.csr, MyTest.key. I want this to be a server certificate. Okay? So we’re going to bind this to a VServer. Okay. Once I choose this server cert, you’ll notice that some options get grayed out here. Okay? What’s going on here? We need to provide the certificate authority. What we’re actually doing here at this point is, we’re signing the certificate ourselves. If you wanted to, for example, create a certificate signing request to create a cert that you wanted to have signed by VeriSign or one of the commercial certificate authority providers, you just simply have to go to Create Certificate Request here, and just fill this out. Okay? But we’re just going to do the whole lot in one go. We need to provide the CA Certificate File Name, okay, which is…we know is ns-root.cert. That’s what we chose earlier on. The CA Key file name, the certificate authority, which is ns-root.key. And the CA serial number file, which is going to be here, ns-root.srl. It’s just a file with a number in it. Okay? All these files are on the system by default. So, that should create our server certificate. I’ll click Next. And now we have to install it on the system. So I’m going to give it a…the Certificate Key-Pair Name. This is the key and the certificate basically installing it on the appliance. So I’m going to call it MyTestCertificate. Okay? So a name that makes sense. And click Next. And Finish. So I click Exit at this point. Go to Certificates. And there we see MyTestCertificate. And that’s it. So that’s basically how to create a certificate, the keys, the certificate, everything, all you need to do to have your own SSL certificate. Very easy. Very simple to do. Great for setting up test cases or sample. Okay. So, how do we want to use it? We want to enable the SSL feature. Okay? I just right click there on SSL. We can also enable the feature here in System, Settings, and basic features. Okay? You’ll see SSL offloading is there. Let’s enable load balancing, and there we go. So, this is a pretty clean system. There’s only one IP in the box, so I want to create a Vserver and bind that certificate to it. So, let’s create some IP addresses. 51. This is going to be our submit IP. Better give that a mask. Create. And then we can go down to load balancing. I’m going to create the VIP, the Virtual IP, on the fly. Let’s create a service. There are some other screencasts on Citrix TV that will show you how to create and will talk about load balancing. So I’ll just go through this quite quickly. Hope there’s a web server there. Okay. Let’s throw a…why not?...http monitor on there. Click Create. Oops. Now, there we go. The service is up. That means that it’s responding with a 200 OK response code, because we’re doing http monitoring. So let’s go to the LB VServer. And I want to have SSL. Okay? I’m going to do some SSL offloading here. LB-VServer. And here’s where I create the IP on the fly. 152. I have to bind this to it. It’s important that I do this here. In addition, SSL settings. Here’s where we put the certificate on there. So MyTestCertificate goes on like so. I click Create. And there we go. LB-VServer and its IP address. So let’s go to this web site. Note https. Hit enter. And here we get a warning. It’s an unknown…signed by an unknown authority, because obviously my NetScaler is not a registered certificate authority. So we get this option here. I’m going to choose Examine Certificate. These are the details. We can see the DNS name I typed in. I have all this information here that we may want handy for troubleshooting. So, I’m happy with this. I’m going to accept this. I can accept permanently or temporarily. This is a browser option. I’m going to click OK. So, a few browser warnings, and then we can see, this is just a test page, and we’re connected with SSL. So that’s how to set up a test SSL certificate.

Log In