How Do I Set Up a Self-Signed Certificate on NetScaler?

This article describes how to set up a self-signed certificate on NetScaler.

Use Case

A self-signed SSL Certificate (mostly used for test purposes) is needed to test NetScaler’s SSL offloading feature internally (in a non-production environment).

Introduction to SSL Certificate

Any organizational or individual website that requires to handle confidential or sensitive information needs to have an SSL certificate. An SSL certificate installed on a web server mitigates the risk of sensitive information from being stolen by ensuring end users are connecting to correct host. It not only authenticates a website’s identity but also participates in generating the session key which is used later for encryption of entire session.

A certificate, contains information about the owner of the certificate who it is issued to as well as the issuing authority who certifies (signs) this information. It also contains a public key and a hash to ensure that the certificate has not been tampered with. The client browser or application usually has a list of well-known Certification Authorities (CA) or root CA Certificates whom it trusts. As it trusts the issuing authority it also trusts any certificate signed by that issuer. This public key (which is attached to the certificate) is used encrypt the data that is passed during SSL session.

SSL Certificate on NetScaler

As the NetScaler appliance offloads SSL operations from the server, the server's certificate and private key must be present on the appliance, and the certificate must be paired with its corresponding private key. This certificate-key pair must then be bound to the virtual server that processes the SSL transactions.

For the purpose of testing this SSL offloading feature internally, we can create and load a test certificate on the NetScaler and bind it to a SSL virtual server.

Method 1: Configuration steps for creating and uploading a self-signed certificate

1. Create and Install a Test Certificate:
   On GUI: Go to Traffic Management > SSL > SSL Certificates > Create and Install a Server Test Certificate.

   
   

2. Bind the test self-signed certificate to a SSL virtual server.

   

   

Method 2: Configuration steps for creating and uploading a self-signed certificate

Self-signed certificates are not to be used in production setup and are simply for testing purpose on NetScaler.

Below are the steps you can follow to configure a self-signed certificate. You can also use the wizard ‘SSL Server Certificate Wizard’ (under Load Balancing > SSL > Getting Started) to easily navigate through the steps.

1. Create a Key:
   Go to SSL > SSL Keys > Create RSA Key/Create DSA key.

   

   Create SSL RSA <RSA_keyname> <size_in_bits>

   

2. Create a Certificate Signing Request (CSR):
   Go to SSL > SSL Certificate > Create CSR.
   Fill in the required details. Ensure that the key is same as the key created in step 1.

   

   

   This created file is located in the /nsconfig/ssl directory. Send the CSR file to a CA for signing.

3. Create a certificate
   Go to SSL > SSL Certificates > Certificate and fill in the required details. Ensure that the Certificate Request File name and Key Filename matches the one created in step 1 and step 2 respectively.

   

4. Load Cert/key pair:
   Go to SSL > Certificates > Select Install and browse to upload the certificate and the key.

   

5. Bind it to the SSL vserver:
   Go to Load Balancing > Virtual servers > Select the SSL vserver > Click Edit > Certificates > Server Certificates > Select the Certkey pair and click Bind.

   

Note: It is recommended that the first method (mentioned in this article) be used as it is simple enough to use for test purposes.

Citrix Documentation - Binding the Certificate-Key Pair to the SSL-Based Virtual Server