openssl netscaler sha256 csr certificate request

openssl netscaler sha256 csr certificate request

Instructions

Complete the following steps to generate SHA2 CSR on NetScaler using OpenSSL:

  1. Create a custom configuration file named openssl.cnf. The file can have the following entries. Modify the entries according to the requirement. You can create this file on NetScaler using the VI editor or any other editor.
    [req]
    default_bits       = 2048
    prompt             = no
    encrypt_key        = no
    default_md         = sha256
    distinguished_name = dn 
    [dn]
    CN           = test.example.com
    OU           = Test Certificate
    O            = Test Company
    L            = Test City
    ST           = California
    C            = US
    emailAddress = test@example.com
  2. Upload the openssl.cnf file to the /nsconfig/ssl directory.
  3. Log on to NetScaler using PuTTY.
  4. Browse to the /nsconfig/ssl directory and execute the following command to create a Key and CSR:
    root@ns# openssl req -out test.csr -config openssl.cnf -new -newkey rsa:2048 -nodes -keyout test.key

    Generating a 2048 bit RSA private key
    ......................................+++
    ...............................................+++
    writing new private key to 'test.key'
    -----
  5. Use the following command to verify if the CSR created is SHA2:
    root@ns# openssl req -text -noout -in test.csr | grep ‘Signature Algorithm’

    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: CN=link.rc.test.com, OU=TEST, O=DSI, L=Clichy, ST=Haut de Seine, C=Fr/emailAddress=bruce.wayne@test.fr
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:b9:2b:66:9a:fe:55:8e:da:ac:85:c6:67:94:6d:
                        88:34:6b:92:00:6b:0f:02:bc:40:20:9d:be:db:b1:
                        04:3b:b1:2e:79:6e:60:f6:9e:2d:c1:49:09:3b:6e:
                        9c:4e:f9:7f:17:ea:ed:99:b6:1b:15:44:ea:8b:e4:
                        f1:87:32:8a:73:10:c1:6b:d7:c8:7f:1a:a6:83:ef:
                        1f:a8:38:82:0e:b2:f1:09:69:af:ee:e4:eb:ac:7f:
                        cc:75:09:95:21:79:fe:0c:e3:e0:3e:c0:86:ee:fc:
                        f3:c4:e2:1f:e2:ed:12:ee:94:b1:aa:d3:22:fb:70:
                        bb:aa:55:84:50:28:82:2a:7f:e2:34:a7:9b:65:0c:
                        72:5e:41:42:b5:60:2b:63:67:82:aa:ae:79:c5:a0:
                        bc:72:3e:14:18:37:ef:5e:69:fd:b8:53:d2:19:fa:
                        f0:c6:bf:3a:b1:24:45:c9:e4:9c:58:f9:5c:3c:44:
                        c0:c2:3e:b7:a3:ec:d2:a2:bc:a6:ae:b6:18:e7:fe:
                        33:67:06:c6:c9:5b:98:2c:87:45:ee:a6:ee:f5:6e:
                        25:6f:75:ba:bd:58:60:4c:b7:ae:c6:ed:03:3c:f6:
                        37:bc:2b:02:b4:9a:9e:02:d2:62:db:b2:b0:b1:df:
                        a7:16:ae:df:19:fa:27:b9:47:ec:56:fa:81:84:ae:
                        fa:81
                    Exponent: 65537 (0x10001)
            Attributes:
                a0:00
        Signature Algorithm: sha256WithRSAEncryption
            21:fd:2c:88:37:4d:5b:a2:bc:e0:90:dd:01:06:bc:30:54:91:
            6e:cd:49:04:e3:d6:49:3c:85:d6:7d:15:bd:e7:a4:81:28:8d:
            47:5f:df:12:7c:50:3e:b8:7d:6f:7e:3b:7f:bc:4a:a9:64:26:
            af:68:23:fa:84:81:cb:df:ec:fe:cb:32:d4:db:52:38:77:bd:
            ec:9d:59:d9:d0:f2:c4:4e:f5:9f:0b:b7:78:79:d9:00:11:1c:
            49:36:c3:7e:92:c4:5c:e1:c1:d6:85:0c:44:55:68:0b:54:ea:
            de:bb:a1:b9:25:b8:de:5a:06:55:6e:86:eb:86:c2:67:c2:47:
            a2:5e:7d:6c:20:30:5a:8a:08:12:88:41:f6:54:48:ec:fa:6f:
            55:c6:2f:cf:31:68:b5:5f:6a:a0:30:f3:c3:62:db:78:4a:53:
            a4:2a:67:9e:5a:6b:2c:a7:8a:05:36:6e:da:61:f8:93:c3:a0:
            98:9c:4c:33:b6:a1:8d:85:6e:bb:08:ad:7f:56:69:ba:86:87:
            c2:8d:3c:85:aa:4f:d0:74:8f:6d:9f:e4:06:d0:7b:16:df:2c:
            2e:18:9b:7f:f5:6c:4f:1e:e3:00:f8:49:8d:b4:5e:4b:cd:8b:
            3b:6a:e6:a6:fa:e6:71:00:b9:ed:ed:9b:ef:91:e3:ab:a1:24:
            2d:2a:41:bc

The preceding article helps you in generating the CSR by creating a new key. However, if you want to use an existing key, then use the following command:
openssl req -out csr.csr -key /nsconfig/ssl/existing_key.key -new -sha256 -config /etc/nsssl.conf

info from : http://support.citrix.com/article/CTX202383

Leave a Reply

Your email address will not be published. Required fields are marked *

five × 2 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.