ADC

Create a certificate

A certificate authority (CA) is an entity that issues digital certificates for use in public key cryptography. Applications, such as web browsers, that conduct SSL transactions trust certificates issued or signed by a certificate authority. These applications maintain a list of the CAs that they trust. If any of the trusted CAs sign the certificate being used for the secure transaction, the application proceeds with the transaction.

Caution: Citrix recommends that you use certificates obtained from authorized CAs, such as Verisign, for all your SSL transactions. Use certificates generated on the Citrix ADC appliance for testing purposes only, not in any live deployment.

To obtain an SSL certificate from an authorized CA, you must create a private key. Use that key to create a certificate signing request (CSR), and submit the CSR to the certificate authority. The only special characters allowed in the file names are underscore and dot.

To import an existing certificate and key, see Import a Certificate.

Video link to How do I create and install a new certificate.

Create a private key

The private key is the most important part of a digital certificate. By definition, this key is not to be shared with anyone and must be kept securely on the Citrix ADC appliance. Any data encrypted with the public key can be decrypted only by using the private key.

The appliance supports two encryption algorithms, RSA and DSA, for creating private keys. You can submit either type of private key to the certificate authority. The certificate that you receive from the CA is valid only with the private key that was used to create the CSR. The key is required for adding the certificate to the Citrix ADC appliance.

Caution: Be sure to limit access to your private key. Anyone who has access to your private key can decrypt your SSL data.

Note:

  • From release 12.1 build 49.x, you can use the AES256 algorithm with PEM key format to encrypt a private key on the appliance. AES with 256-bit key is more mathematically efficient and secure compared to the 56-bit key of the Data Encryption Standard (DES).

  • From release 12.1 build 50.x, you can create an RSA or DSA key in PKCS#8 format.

All SSL certificates and keys are stored in the /nsconfig/ssl folder on the appliance. For added security, you can use the DES or triple DES (3DES) algorithm to encrypt the private key stored on the appliance.

Note:

The length of the SSL key name allowed includes the length of the absolute path name if the path is included in the key name.

Create an RSA private key by using the CLI

At the command prompt, type:

create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (DER | PEM )] [-des | -des3 | -aes256] {-password } [-pkcs8]
<!--NeedCopy-->

Example:

create rsakey testkey 2048 -aes256 -password 123456 -pkcs8
<!--NeedCopy-->

Create an RSA private key by using the GUI

Navigate to Traffic Management > SSL and, in the SSL Keys group, select Create RSA Key, and create an RSA key.

Select the AES256 encoding algorithm in an RSA key by using the GUI

  1. Navigate to Traffic Management > SSL > SSL Files > Create RSA Key.

  2. In Key Format, select PEM.

  3. In PEM Encoding Algorithm, select AES256.

  4. Select PKCS8.

Create a DSA private key by using the CLI

At the command prompt, type:

create ssl dsakey <keyfile> <bits> [-keyform (DER | PEM)] [-pkcs8]
<!--NeedCopy-->

Example:

create ssl dsakey Key-DSA-1 2048 -keyform PEM
<!--NeedCopy-->

Create a DSA private key by using the GUI

  1. Navigate to Traffic Management > SSL and, in the SSL Keys group, select Create DSA Key, and create a DSA key.
  2. To create a key in PKCS#8 format, select PKCS8.

Support for SHA 256 digest algorithm in a certificate signing request

The certificate signing request (CSR) is a collection of information. It includes the domain name, other important company details, and the public key to be used to create the certificate. To avoid generating an invalid certificate, make sure that the details you provide are accurate.

The Citrix ADC appliance supports creating a CSR signed with the SHA1 digest algorithm by default. In earlier releases, to create a CSR signed with the SHA256 digest algorithm, you had to use OpenSSL.

The appliance supports creating a CSR signed with the SHA256 digest algorithm. The encryption hash algorithm used in SHA256 makes it stronger than SHA1.

Create a certificate signing request by using the CLI

At the command prompt, type:

create ssl certreq <reqFile> -keyFile <input_filename> | -fipsKeyName <string>) [-keyForm (DER | PEM) {-PEMPassPhrase }] -countryName <string> -stateName <string> -organizationName <string> -organizationUnitName <string> -localityName <string> -commonName <string> -emailAddress <string> {-challengePassword } -companyName <string> -digestMethod ( SHA1 | SHA256 )
<!--NeedCopy-->

Example:

create ssl certreq priv_csr_sha256 -keyfile priv_2048_2 -keyform PEM -countryName IN -stateName Karnataka -localityName Bangalore -organizationName Citrix -organizationUnitName NS -digestMethod SHA256
<!--NeedCopy-->

Create a certificate signing request by using the GUI

  1. Navigate to Traffic Management > SSL.
  2. In SSL Certificate, click Create Certificate Signing Request (CSR).
  3. In Digest Method, select SHA256.

Support for subject alternative name in a certificate signing request

The subject alternative name (SAN) field in a certificate allows you to associate multiple values, such as domain names and IP addresses, with a single certificate. In other words, you can secure multiple domains, such as www.example.com, www.example1.com, www.example2.com, with a single certificate.

Some browsers, such as Google Chrome, no longer support a common name in a certificate signing request (CSR). They enforce SAN in all publicly trusted certificates.

The Citrix ADC appliance supports adding SAN values when creating a CSR. You can send a CSR with a SAN entry to a certificate authority to obtain a signed certificate with the SAN entry. When the appliance receives a request, it checks for a matching domain name in the SAN entries in the server certificate. If a match is found, it sends the certificate to the client and completes the SSL handshake. You can use the CLI or the GUI to create a CSR with SAN values.

Note:

The Citrix ADC appliance processes only DNS based SAN values.

Create a CSR with the subject alternative name by using the CLI

create ssl certReq <reqFile> (-keyFile <input_filename> | -fipsKeyName <string>) [-subjectAltName <string>] [-keyform ( DER | PEM )  {-PEMPassPhrase }] -countryName <string> -stateName <string> -organizationName <string> [-organizationUnitName <string>] [-localityName <string>] [-commonName <string>] [-emailAddress <string>] {-challengePassword } [-companyName <string>] [-digestMethod ( SHA1 | SHA256 )]
<!--NeedCopy-->

Parameters:

subjectAltName: The subject alternative name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called “Subject Alternative Names” (SAN). Names include:

  1. IP addresses (Prefix with “IP:” Example: IP:198.51.10.5 IP:192.0.2.100)

  2. DNS names (Prefix with “DNS:” Example: DNS:www.example.com DNS:www.example.org DNS:www.example.net)

On the CLI, enter values within quotation marks. Separate two values with a space. Quotation marks are not required in the GUI. Maximum Length: 127

Example:

create certReq test1.csr -keyFile test1.ky -countryName IN -stateName Kar -organizationName citrix -commonName ctx.com -subjectAltName "DNS:*.example.com DNS:www.example.org DNS:www.example.net"
<!--NeedCopy-->

Note:

On a FIPS appliance, you must replace the key file name with the FIPS key name if you create the FIPS key directly on the appliance.

create certReq <csrname> -fipsKeyName fipskey.ky -countryName IN -stateName Kar -organizationName citrix -commonName ctx.com -subjectAltName "DNS:www.example.com DNS:www.example.org DNS:www.example.net"
<!--NeedCopy-->

Create a CSR by using the GUI

  1. Navigate to Traffic Management > SSL > SSL Files.
  2. In the CSR tab, click Create Certificate Signing Request (CSR).
  3. Enter the values and click Create.

Limitations

To use SAN when creating an SSL certificate, you must explicitly specify the SAN values. The values are not read automatically from the CSR file.

Submit the CSR to the CA

Most CAs accept certificate submissions by email. The CA returns a valid certificate to the email address from which you submit the CSR.

The CSR is stored in the /nsconfig/ssl folder.

Generate a test certificate

Note:

To generate a server test certificate, see Generating a Server Test Certificate.

The Citrix ADC appliance has a built-in CA tools suite that you can use to create self-signed certificates for testing purposes.

Caution: Because the Citrix ADC appliance signs these certificates, and not an actual CA, you must not use them in a production environment. If you attempt to use a self-signed certificate in a production environment, users receive a “certificate invalid” warning each time the virtual server is accessed.

The appliance supports creation of the following types of certificates

  • Root-CA certificates
  • Intermediate-CA certificates
  • End-user certificates
    • server certificates
    • client certificates

Before generating a certificate, create a private key and use that to create a certificate signing request (CSR) on the appliance. Then, instead of sending the CSR out to a CA, use the Citrix ADC CA Tools to generate a certificate.

Create a certificate by using a wizard

  1. Navigate to Traffic Management > SSL.
  2. In the details pane, under Getting Started, select the wizard for the type of certificate that you want to create.
  3. Follow the instructions on the screen.

Create a root-CA certificate by using the CLI

At the command prompt, type the following command:

create ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER | PEM )] [-days <positive_integer>]
<!--NeedCopy-->

In the following example, csreq1 is the CSR and rsa1 is the private key that was created earlier.

Example:

create ssl cert cert1 csreq1 ROOT_CERT -keyFile rsa1 -keyForm PEM -days 365

  Done
<!--NeedCopy-->

Create an intermediate-CA certificate by using the CLI

create ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER | PEM )] [-days <positive_integer>] [-certForm ( DER | PEM )] [-CAcert <input_filename>] [-CAcertForm ( DER | PEM )] [-CAkey <input_filename>] [-CAkeyForm ( DER | PEM )] [-CAserial <output_filename>]
<!--NeedCopy-->

In the following example, csr1 is the CSR created earlier. Cert1 and rsakey1 are the certificate and corresponding key of the self-signed (root-CA) certificate, and pvtkey1 is the private key of the intermediate-CA certificate.

Example:

create ssl cert certsy csr1 INTM_CERT -CAcert cert1 -CAkey rsakey1 -CAserial 23
Done

create ssl rsakey pvtkey1 2048 -exponent F4 -keyform PEM
Done
<!--NeedCopy-->

Create a root-CA certificate by using the GUI

Navigate to Traffic Management > SSL and, in the Getting Started group, select Root-CA Certificate Wizard, and configure a root CA certificate.

Create an intermediate-CA certificate by using the GUI

Navigate to Traffic Management > SSL and, in the Getting Started group, select Intermediate-CA Certificate Wizard, and configure an intermediate CA certificate.

Create an end-user certificate

An end-user certificate can be a client certificate or a server certificate. To create a test end-user certificate, specify the Intermediate CA certificate or the self-signed root-CA certificate.

Note:

To create an end-user certificate for production use, specify a trusted CA certificate and send the CSR to a certificate authority (CA).

Create a test end-user certificate by using the command line interface

create ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER | PEM )] [-days<positive_integer>] [-certForm ( DER | PEM )] [-CAcert <input_filename>] [-CAcertForm ( DER | PEM )] [-CAkey<input_filename>] [-CAkeyForm ( DER | PEM )] [-CAserial <output_filename>]
<!--NeedCopy-->

If there is no intermediate certificate, use the certificate (cert1) and private key (rsakey1) values of the root-CA certificate in CAcert and CAkey.

Example:

create ssl cert cert12 csr1 SRVR_CERT -CAcert cert1 -CAkey rsakey1 -CAserial 23

Done
<!--NeedCopy-->

If there is an intermediate certificate, use the certificate (certsy) and private key (pvtkey1) values of the intermediate certificate in CAcert and CAkey.

Example:

create ssl cert cert12 csr1 SRVR_CERT -CAcert certsy -CAkey pvtkey1 -CAserial 23

Done
<!--NeedCopy-->