Home > Citrix NetScaler, Windows 2008 R2 > Configure Netscaler Management for SSL with Trusted Certificate Part1

Configure Netscaler Management for SSL with Trusted Certificate Part1

So here is a scenario, you have two Citrix Netscaler VPX devices configured as a HA pair and you need to manage that pair over SSL for whatever reason. The devices are installed out of the box with a self-signed certificate which maybe fine in a dev environment but not really best practise in production. Also now with Microsoft’s Internet Explorer 10 you will find you cannot even manage the box as it no longer gives you the option to accept the untrusted certificates and continue, you will also find that this could break applications such as System Centre 2012 Virtual Machine Manager.

So what to do, well you need to get a trusted certificate but pause for a moment, you may want a little more. In this scenario we have two devices so what if you wanted to have the ability to not only logon to the active device but also the standby, well you are going to now need a certificate with Subject Alternate Names (SAN), this will enable you to connect to the device by the individual device name and the Virtual IP address shared by the devices.

Note: I am going to be using FQDN’s to access the device and not just an IP address

You need to have each nodes management name (whatever you put in the browser to get to the devise) and IP address in DNS not forgetting the shared Virtual IP.

You need to have a valid certificate, with all the FQDN’s listed as SAN’s that is trusted by all devices that will connect using SSL.

You then need to import the certificate into the Netscaler and map it to the management services.

Sounds easy, but it took me a while to put all this together.

Step 1 Get a Certificate

I am using Microsoft 2008 R2 Certificate Services and using the guide here I generate a certificate for use on the Netscalers.

1. Log on to the server as a member of the local Administrators group.

2. Click Start.

3. In the Search programs and files box, type mmc.exe, and press ENTER.

4. On the File menu, click Add/Remove Snap-in.

5. In the list of available snap-ins, click Certificates, and then click Add.

6. Click Computer account, and click Next.

7. Click Local computer, and click Finish.

8. Click OK.

9. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.

10. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrolment wizard. (in my case Active Directory Enrollment Policy”

11. Click Next.

12. Select the Web Server template. Click the warning icon below more information is required to enroll for this certificate. Click here to configure these settings.

13. In the Subject name area under Type, click Common Name.

14. In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.

15. In the Alternative name area under Type, click DNS.

16. In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.

17. Repeat steps 15 and 16 above for each additional SAN that you require.

18. On the Private Key tab ensure you enable the “Make private key exportable”

19. Click OK when finished.

20. Click Enroll

It should have looked something like the below






Checking the certificate we can see all the names listed (awesome)



We next need to export this certificate and prepare it for upload into the Netscaler devices

Click export to file and follow the wizard ensuring you select Yes to exporting the file and Include all certificates in the certification path id possible. The end result you will have a pfx file.

This file is no good for the Netscaler as it want a PEM file so we need to convert it.

Part 2

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: