how many times you asked to yourself : how can I import wildcard certificates on my Citrix Netsclaer ? <br>
I had to add, to a friend's Netscaler, a wildcard certificate. The certificate request was done from an IIS (Windows 2008 R2) and then it was installed on it including the Intermediate Cert.
My Netscaler version is 10.1.
So let's try to describe briefly the steps to reach this goal :
Export the main wildcard certficates from Windows server
1. Open MMC --> Add/Remove Snap-in...--> Certificates --> Computer Account. Here below you can see the certificate inside the Personal storage
2. Right click on it and choose "Export..." menu item.
IMPORTANT : YOU HAVE TO FOLLOW THESE STEPS TWICE, THE FIRST TIME INCLUDING THE PRIVATE KEY, THE SECOND ONE EXCLUDING IT.
I'll show below tha most important steps and highlight the differences between the two round.
3. Continue including any additional useful info
4. Set the password to protect the private key
5. And finally save it to a file. The file including the private key will have *.PFX extension
6. After saving start again the same wizard changing only the steps reported below
7. Select the option "Base-64....." encoding
8. and the save the file. Consider that this second time the extension will be different : *.CER
9. Now you will have two separate files as shown below
Import new certificates to our Netscaler appliance
After logging in to our appliance follow these points1. Go to the Configuration tab (highlighted below in yellow)
2. Expand Traffic Management --> SSL --> and choose Import PKCS#12
3. Here below you have the form that you should fill to complete the first step of import
Pay attention here:
****** OUTPUT FILE NAME : must have KEY extension, the name is up to you
****** PKCS12 FILE* : here you have to insert the file name early uploaded
****** IMPORT PASSWORD : the password you typed before to protect the private key
****** ENCODING FORMAT : DES3
****** PEM PASSPHRASE : a new different password to protect the file (including again the private key)
****** CONFIRM PASSPHRASE : repeat the same password of the previous point
4. After confirming click on "Manage Certificates" as highlighted below (you could receive some warning regarding Java applet.....accept or authorize to continue)
5. Click on "Upload" to load the addition *.CER file
6. At this point you are ready to install or update your certificate. In my situation I had to Update an existing virtual server certificate, the procedure is more or less the same. So let's follow my and, after selecting the certificate that you want to update, click on "Update...".
The system will open an additional windows "UPDATE CERTIFICATE" where you have to fill some fileds :
****** CERTIFICATE-KEY PAIR NAME : name of your app
****** CERTIFICATE FILE NAME : name of the *:CER file explorted before (in the IIS phase)
****** KEY FILE NAME : name of the *.KEY file created during step 3
****** PASSWORD : password typed during step 3 to protect your private key
I didn't choose to be notified.
Then click OK
7. The procedure in theory is finished but during a test I discovered that the web connection was not encrypted..... the browser was saying that something was wrong so the connection was in HTTP instead of HTTPS.
So HTTPS was not working with Netscaler !
In my case I had also add the INTERMEDIATE CERTIFICATE provided. After importing it we have to link it to the previously added or updated certificate.
Import Intermediate Certificate Authority Certificate
To export this certificate you can follow the steps (of the IIS section) from the point n.7. You will not have the private key question and the format is "Base-64 encoded X.509".....so it will be a *.CER file.After exporting it you have to upload it (follow the step n. 5 describer in the previous section) and install it on Netscaler.
1. Open the following section of Netscaler and Install a new certificate a shown below. You have to type in the name of the certificate (is up to you) and then choose it clicking on the BROWSE button.
2. At this point the very final step is to link it to the certificate that we imported and installed during the previous steps. So in the list of certificate RIGHT click on it (the wildcard examined before) and on the menu, select "LINK"
3. Here you have to select the Certificate to link to. The previously imported intermediate one should already be selected by default.
At this point you should be able to browse your published site or application without any warning and in HTTPS.
Hope this helps
See you soon
No comments:
Post a Comment