This article describes how to create a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names.
My solution is based on CTX135602, but validated on NetScaler 10.5
Here’s how you do it:
1. Create an OpenSSL configuration file on the local computer by editing the fields to the company requirements.
Note: In the example used in this article the configuration file is “req.conf”.
Note2: “req_extensions” will put the subject alternative names in a CSR whereas “x509_extensions” would be used when creating an actual certificate file.
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = www.company.net
DNS.4 = company.net
2. Upload the file to the /nsconfig/ssl directory on the NetScaler appliance.
3. Logon to NetScaler command line interface as nsroot and switch to the shell prompt.
Run the following commands to create the Certificate Signing Request and a new Key file:
openssl req -new -out company.com.csr -newkey rsa:2048 -nodes -sha256 -keyout company.com.key.temp -config req.cnf
Run the following command to verify the Certificate Signing Request:
openssl req -text -noout -verify -in company.com.csr
Version: 0 (0x0)
Subject: C=US, ST=VA, L=SomeCity, O=MyCompany, OU=MyDivision, CN=www.company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
Exponent: 65537 (0x10001)
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:www.company.net, DNS:company.com, DNS:company.net
Signature Algorithm: sha256WithRSAEncryption
Run this command to move the Key file into the correct format for use on NetScaler:
openssl rsa -in company.com.key.temp -out company.com.key
4. Download the Certificate Signing Request file “company.com.csr” and provide it to your certification authority of choice for signing.
5. Upload the certificate provided by the certification authority into the /nsconfig/ssl directory on the NetScaler appliance and install the certificate using the previously created “company.com.key” file.
Please post below if you have any problems.