Request a certificate as you would normally do, using IIS. This has been documented plenty of other places, so skipped here.
Because of the HA pair, you will need one cert, but make it good for 2 DNS names, including NS.blah.com and NS-Otherlocation.blah.com
This is also good for moving a site's SSL certificate to the Netscaler for load balancing from an IIS host.
Visit http://www.derekseaman.com/2013/05/import-iis-ssl-certificate-to-citrix-netscaler.html on how to export this new certificate into the Netscaler UNTIL the section where you have to upload it to the NETSCALER
(Mr Derek Seaman's instructions are good, but not for our NS version. You can probably figure it out with clicking around, but just in case:)At this point, on the Netscaler, you select Traffic management --> ssl and "import PKCS#12"
Most of Mr Seaman's instructions will still work, but things may be very slightly out of order, like the order to click "browse" or whatever... but it is much easier with his diagrams than I can explain here. Remember to use a good password manager to generate and store any passwords you use in this process.
When you are finished, the cert is ready to be used with your VIP.
IF YOU ARE INSTALLING THE CERT FOR THE NETSCALER DEVICE ITSELF:
Skip the step above where you upload the certificate, or remove it from the Netscaler if you have already uploaded it.Download the "X509 Certificate only, Base64 encoded" file and open it in a text editor.
blah_com_cert.cer
Download the "X509 Intermediates/root only Reverse, Base64 encoded: " file and open it as well.
blah_com_interm.cer
Create a new text file. Copy the X509 Certificate only, Base64 encoded cert to it first and then copy the NEXT two X509 Intermediates/root only Reverse, Base64 encoded certs from the file below the first. (They will be the first two in the blah_com_interm.cer file. The root is the last one in that file and you don't want it.) Now save the file with a meaningful name, like "blah_com-bun-noroot.crt". (bun=bundle)
Login into the NS and upload your cert bundle and private key. In this example they would be blah_com.key and blah_com-bun-noroot.crt.
Then under SSL/Certificates select the ns-server-certificate and update it. There's a check box on the Update Certificate window that says, Click to update Certificate/Key. Select that and then browse for the two files you just uploaded. Also check the box "no domain check" if you are switching domain suffixes .
After clicking "ok", wait a min or two... then you will have to reconnect your browser.
Check the certificate in the browser, it should list new certificate.
You can diagnose/view the certs you uploaded using "shell" and "openssl x509 -in NAMEOFFILE.cer -text -noout"
Happy balancing,
-_Bryan
...what, no shout outs for me? ;-)
ReplyDeleteRemember, OpenSSL is your friend!
openssl.org
Bryan...after STRUGGLING with this &^%(* Netscaler cert, I'm trying your method(s). If it works, bro, you have saved my bacon! ...I'll let you know...Brian
ReplyDeleteCroydon MiniCab Service in London UK,We offer Low Fair for Airport Transfers from Croydon everyday where you will be able to know all our services, our vehicles, page on-line booking to make a reservation every day 24x7
ReplyDeletewww.croydoncar.co.uk/
ReplyDeleteCroydon Cars MiniCab Service in London UK,Choose our Minicab for a quick trip and safely to get to the Gatwick Airport, Heathrow Airportalso offers some services to minicab drivers who are not associated with itin the area of Croydon and in other towns.We are offer Low Fair for Airport Transfers from Croydon everyday such as ?Croydon Minicabs ?Shirley Minicabs ?Waddon Minicabsand etc.We want to welcome you to our new corporate website:www.croydoncar.co.uk/
An Indian Restaurant & Takeaway in Croydon. We serve a wide range of delicious Asian & Indian food. We offer online ordering and table booking.For reservation call 02036678566
ReplyDeleteadeenaskitchen.co.uk/