Product Documentation

Obtaining a Certificate from a Certificate Authority

Sep 01, 2016

A certificate authority (CA) is an entity that issues digital certificates for use in public key cryptography. Certificates issued or signed by a CA are automatically trusted by applications, such as web browsers, that conduct SSL transactions. These applications maintain a list of the CAs that they trust. If the certificate being used for the secure transaction is signed by any of the trusted CAs, the application proceeds with the transaction.

To obtain an SSL certificate from an authorized CA, you must create a private key, use that key to create a certificate signing request (CSR), and submit the CSR to the CA. The only special characters allowed in the file names are underscore and dot.

Creating a Private Key

The private key is the most important part of a digital certificate. By definition, this key is not to be shared with anyone and should be kept securely on the NetScaler appliance. Any data encrypted with the public key can be decrypted only by using the private key.

The appliance supports two encryption algorithms, RSA and DSA, for creating private keys. You can submit either type of private key to the CA. The certificate that you receive from the CA is valid only with the private key that was used to create the CSR, and the key is required for adding the certificate to the NetScaler.

Caution: Be sure to limit access to your private key. Anyone who has access to your private key can decrypt your SSL data.
All SSL certificates and keys are stored in the /nsconfig/ssl folder on the appliance. For added security, you can use the Data Encryption Standard (DES) or triple DES (3DES) algorithm to encrypt the private key stored on the appliance.
Note: The length of the SSL key name allowed includes the length of the absolute path name if the path is included in the key name.

To create an RSA private key by using the command line interface

At the command prompt, type the following command:

create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform ( DER | PEM )]

Example

> create ssl rsakey Key-RSA-1 2048 -exponent F4 -keyform PEM

To create a DSA private key by using the command line interface

At the command prompt, type the following command:

create ssl dsakey <keyfile> <bits> [-keyform (DER | PEM)]

Example
> create ssl dsakey Key-DSA-1 2048 -keyform PEM

To create an RSA private key by using the configuration utility

Navigate to Traffic Management > SSL and, in the SSL Keys group, select Create RSA Key, and create an RSA key.

To create an DSA private key by using the configuration utility

Navigate to Traffic Management > SSL and, in the SSL Keys group, select Create DSA Key, and create a DSA key.

Creating a Certificate Signing Request

The certificate signing request (CSR) is a collection of information, including the domain name, other important company details, and the private key to be used to create the certificate. To avoid generating an invalid certificate, make sure that the details you provide are accurate. 

The NetScaler appliance supports creating a CSR signed with the SHA1 digest algorithm by default. In earlier releases, to create a CSR signed with the SHA256 digest algorithm, you had to use OpenSSL.

From release 11.1, the appliance supports creating a CSR signed with the SHA256 digest algorithm. The encryption hash algorithm used in SHA256 makes it stronger than SHA1.

To create a certificate signing request by using the NetScaler command line

At the command prompt, type:

create ssl certreq <reqFile> -keyFile <input_filename> | -fipsKeyName <string>) [-keyForm (DER | PEM) {-PEMPassPhrase }] -countryName <string> -stateName <string> -organizationName <string> -organizationUnitName <string> -localityName <string> -commonName <string> -emailAddress <string> {-challengePassword } -companyName <string> -digestMethod ( SHA1 | SHA256 )
Example 복사

create ssl certreq priv_csr_sha256 -keyfile priv_2048_2 -keyform PEM -countryName IN -stateName Karnataka -localityName Bangalore -organizationName Citrix -organizationUnitName NS -digestMethod SHA256

To create a certificate signing request by using the NetScaler GUI

  1. Navigate to Traffic Management > SSL.
  2. In SSL Certificate, click Create Certificate Signing Request (CSR).
  3. In Digest Method, select SHA256.

Submitting the CSR to the CA

Most CAs accept certificate submissions by email. The CA will return a valid certificate to the email address from which you submit the CSR.