How to Create a San Certificate using Certificate Manager

When creating a Certificate for a web service it is sometimes necessary to use multiple names to ensure the certificate is still valid. For example, if you have a hostname of citrix.mycompany.local, some users might use the short name of Citrix and in doing so will get a certificate error.

To ensure that you allow the certificate to work with multiple hostnames you can add an additional attribute known as the Subject Alternate Name, entries within this attribute are also validated against the destination hostname.

The common way to create a SAN certificate is to use a Certificate template as detailed here. However this can be quite complex for some Administrators, so I thought I’d document how to create a SAN Certificate from the Certificate Manager GUI:-

 

Launch the Cert management GUI using Start – Run type mmc and then click – File – Add/Remove Snap-in.

 

Screen Shot 2015-02-20 at 10.27.20

Select Certificates and Computer Account

Screen Shot 2015-02-20 at 10.27.32

 

Select the Local Computer

Screen Shot 2015-02-20 at 10.27.39

The Certificate management console will then be displayed.

Screen Shot 2015-02-20 at 10.28.10

 

One we have the management console open, we need to create the Request to be signed by the Certificate Authority. As we are requiring a SAN certificate we need to create a custom request; Right Click The certificate folder under personal store – All Tasks – Advanced Operations – Create Custom Request.

 

2015-02-20 10_36_32

 

This will start the Certificate Enrolment Wizard

Click next in Certificate Enrolment Wizard’s welcome window –

Select “Proceed without enrolment policy” under Custom Request & click next in the Custom Request window

Select (No template) Legacy key & PKCS #10 as request format and Click Next

 

Screen Shot 2015-02-20 at 10.44.13

Screen Shot 2015-02-20 at 10.44.20

Screen Shot 2015-02-20 at 10.44.49

In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.

Screen Shot 2015-02-20 at 10.44.56

On the Generals Tab, Choose a friendly name

Screen Shot 2015-02-20 at 10.51.46

Under the Subject tab we can define the primary hostname (Common Name) and the DNS (alternate names). The DNS attributes are where you list all the other hostnames that the cert can be used for.

2015-02-20 11_03_24-Screen Shot

 

Under Extension tab select Extended Key Usage; add Server Authentication from the available options.

Screen Shot 2015-02-20 at 10.53.42

Under Private Key, select key size. Over here I just left it as default. You may like to select a relevant key size for you corporate policy. Under Key Type select “Exchange“

Screen Shot 2015-02-20 at 10.54.39

Then Choose a file name and the request is generated.

Screen Shot 2015-02-20 at 10.54.59

 

The Request can now be sent to the CA for signing.

NetScaler 10.5 x – Subnet IP Address – Shows as Not configured

I recently upgraded a customers Netscaler to version 10.5 54.9.nc and they got an annoying screen every time they logged into the GUI. It appears as if the original configuration has not taken place.
Netscaler Screen

The reason for this is the addressed used to communicate to the the back end services is configured as a MIP and not a SNIP. As there are very little differences between the two this is a supported configuration.

It appears the new front end gui is not happy that a MIP is used instead of a SNIP, so to get rid of the message the IP type needs to change.

The best way to do this is to directly edit the ns.conf file and reboot the netscaler. (Ensure the netscaler is not part of a HA pair before doing this or if it is please follow the correct method of ensuring the config is replicated correctly).

find the line that defines the MIP mine looks like this …

add ns ip 1.2.3.4 255.255.255.0 -type MIP -vServer DISABLED

And change the type to SNIP

add ns ip 1.2.3.4 255.255.255.0 -type SNIP -vServer DISABLED

after a reboot the netscaler will load the config and change the IP type.