Create a certificate signing request

To provide secure communications using SSL or TLS, a server certificate is required on NetScaler Gateway. Before you can upload a certificate to NetScaler Gateway, you need to generate a Certificate Signing Request (CSR) and private key. You use the Create Certificate Request included in the NetScaler Gateway wizard or the configuration utility to create the CSR. The Create Certificate Request creates a .csr file that is emailed to the Certificate Authority (CA) for signing and a private key that remains on the appliance. The CA signs the certificate and returns it to you at the email address you provided. When you receive the signed certificate, you can install it on NetScaler Gateway. When you receive the certificate back from the CA, you pair the certificate with the private key.

Important: When you use the NetScaler Gateway wizard to create the CSR, you must exit the wizard and wait for the CA to send you the signed certificate. When you receive the certificate, you can run the NetScaler Gateway wizard again to create the settings and install the certificate. For more information about the NetScaler Gateway wizard, see Configuring Settings by Using the NetScaler Gateway Wizard.

Create a CSR by using the NetScaler Gateway wizard

  1. In the configuration utility, click the Configuration tab and then in the navigation pane, click NetScaler Gateway.
  2. In the details pane, under Getting Started, click NetScaler Gateway wizard.
  3. Follow the directions in the wizard until you come to the Specify a server certificate page.
  4. Click Create a Certificate Signing Request and complete the fields. Note: The fully qualified domain name (FQDN) does not need to be the same as the NetScaler Gateway host name. The FQDN is used for user logon.
  5. Click Create to save the certificate on your computer, and then click Close.
  6. Exit the NetScaler Gateway wizard without saving your settings.

Create a CSR by using the NetScaler GUI

You can also use the NetScaler GUI to create a CSR, without running the NetScaler Gateway wizard.

  1. Navigate to Traffic Management > SSL > SSL Files and select Create Certificate Signing Request (CSR).
  2. Complete the settings for the certificate and then click Create.

After you create the certificate and private key, email the certificate to the CA, such as Thawte or Verisign.

For detailed procedure, see Create a certificate signing request.

Install the signed certificate on NetScaler Gateway

When you receive the signed certificate from the Certificate Authority (CA), pair it with the private key on the appliance and then install the certificate on NetScaler Gateway.

Pair the signed certificate with a private key by using the GUI

  1. Copy the certificate to NetScaler Gateway to the folder nsconfig/ssl by using a Secure Shell (SSH) program such as WinSCP.
  2. In the configuration utility, on the Configuration tab, in the navigation pane, expand SSL > Certificates.
  3. In the SSL Certificate page, click Get Started.
  4. In the details pane, click Install.
  5. In Certificate-Key Pair Name, type the name of the certificate.
  6. In Certificate File Name, click Appliance.
  7. Navigate to the certificate, click Select, and then click Open.
  8. In Key File Name, click Appliance. The name of the private key is the same name as the Certificate Signing Request (CSR). The private key is located on NetScaler Gateway in the directory \nsconfig\ssl.
  9. Choose the private key, and then click Open.
  10. If the certificate is PEM-format, in Password, type the password for the private key.
  11. If you want to configure notification for when the certificate expires, select Notify When Expires.
  12. In Notification Period, type the number of days, click Create, and then click Close.

Bind the certificate and private key to a virtual server by using the GUI

After you create and link a certificate and private key pair, bind it to a virtual server.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Virtual Servers.
  2. In the details pane, click a virtual server, and then click Open.
  3. On the Certificates tab, under Available, select a certificate, click Add, and then click OK.

Bind the certificate and private key to a virtual server by using the CLI

At the command prompt, type;

bind ssl vserver <vServerName> -certkeyName <string> -ocspCheck ( Mandatory | Optional )
<!--NeedCopy-->

Example:

bind ssl vserver TestClient -CertkeyName ag51.xm.nsi.test.com -CA -ocspCheck Mandatory
<!--NeedCopy-->

Note: oscpCheck is optional if OCSP check is not required for device certificate.

Unbind test certificates from the virtual server by using the GUI

After you install the signed certificate, unbind any test certificates that are bound to the virtual server. You can unbind test certificates using the configuration utility.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Virtual Servers.
  2. In the details pane, click a virtual server, and then click Open.
  3. On the Certificates tab, under Configured, select the test certificate, and then click Remove.
Create a certificate signing request