How to Create and Install Self-Signed Certificates on NetScaler Appliance

This article describes how to create and install a self-signed certificate on a NetScaler appliance.

At times, you might not want to have a Secure Socket Layer (SSL) certificate signed by a known Certificate Authority (CA), such as VeriSign. For an internal testing purpose, you can create a self-signed certificate on a NetScaler appliance. However, most Web browsers reject the certificate if it is not signed by a trusted CA.To trust the self signed certificate root certificate should be imported to certificate store on working station or browser certificate store.

To create and install a self-signed certificate, complete the following tasks:

1. Create a Private Key

2. Create a Certificate Signing Request

3. Create a Certificate

4. Create a Certificate-Key Pair and Install the Certificate

1. Log on to the NetScaler appliance by using the nsroot credentials.

2. In the Configuration utility, select the SSL node.

3. In the SSL page, click the Create RSA Key link available in the SSL Keys section.

4. Enter the appropriate values on the various fields of the Create RSA Key dialog box and click Create.

To create a private key from the command line interface, use the following syntax:

create ssl <Key_Type> <Key_File_Name> <bits> [-exponent ( 3 | F4 )] [-keyform <Key_Format>] [-des] [-des3] [-password <Password_String>]

In the preceding syntax, you can use RSA, DSA, or FIPS as the Key_Type and PEM or DER as the Key_Format.

Create a Certificate Signing Request

To create a certificate signing request, complete the following procedure:

1. Log on to the NetScaler appliance by using the nsroot credentials.

2. In the Configuration utility, select the SSL node.

3. In the SSL page, click the Create Certificate Request link available in the SSL Certificates section.

4. Enter the appropriate values on the various fields of the Create Certificate Request dialog box and click Create.

To create a certificate request from the command line interface, you can use the following syntax:

create ssl certreq <Certificate_Request_File_Name> [-keyFile <Key_File_Name>] [-fipsKeyName <string>] [-keyform <Key_Format>]

Note: Ensure that you use the private key file created in the Create a Private Key procedure.

Create a Certificate

To create a certificate, complete the following procedure:

1. Log in to the NetScaler appliance by using the nsroot credentials.

2. In the Configuration utility, select the SSL node.

3. In the SSL page, click the Create Certificate link available in the SSL Certificates section.

4. Enter the appropriate values on the various fields of the Create Certificate dialog box and click Create.

To create a certificate from the command line interface, you can use the following syntax:

create ssl cert <Certificate_File_Name> < Certificate_Request_File_Name> <certType> -keyFile <Key_File_Name> -keyForm <Key_Format> [-days <Positive_Integer>] [-certForm <Certificate_Format>] [-CAcert <CA_Certificate_File_Name>] [-CAcertForm <CA_Certificate_Format>] [-CAkey <CA_Key_File_Name>] [-CAkeyForm <CA_Key_File_Name >] [-CAserial <CA_Serial_Number_File_Name>]

Note: Ensure that you use the private key and certificate request files created in the Create a Private Key and Create a Certificate Signing Request procedures, respectively.

Create a Certificate-Key Pair and Installing the Certificate

To install the certificate you have created, you need to create a certificate-key pair object. To create a certificate-key pair, complete the following procedure:

1. Log in to the NetScaler appliance by using the nsroot credentials.

2. In the Configuration utility, expand the SSL node.

3. Select Certificates.

4. On the SSL Certificates page, click Add.

5. Enter the appropriate values on the various fields of the Install Certificate dialog box and click Install.

To create a certificate-key pair and install the certificate from the command line interface, you can use the following syntax:add ssl certkey
<Certificate_Key_Name> -cert <Certificate_File_Name> -key <Key_File_Name> [-password]

Note: Ensure that you use the private key and certificate files created in the Create a Private Key and Create a Certificate procedures, respectively.

Caveats

If you want to use web Interface on NetScaler, you must import the CA Certificate as a trusted root in the Web Interface java keystore, for use with callbacks.

If you want to connect to virtual servers that use the self-signed certificate from Android, Mac, iPhone, or iPad devices, then you must import the CA certificate into the device as a trusted root. There is no option on these devices to temporarily accept an SSL Certificate that was signed by a non-trusted Root.

CTX130435 – How to Troubleshoot Web Interface on NetScaler when the Client Connections are Unresponsive on the agesso.jsp Page