Jump to content


Photo

Renewing self signed net scaler certificate

Started by Frederic gallard , 19 March 2017 - 07:54 AM
10 replies to this topic

Frederic gallard Members

Frederic gallard
  • 3 posts

Posted 19 March 2017 - 07:54 AM

Hello

 

I try to renew my netscaler storefront certificate but i have no option to do that in netscaler.

I have a selfsigned certificate for storefront and netscaler

 

I think the good way to do that is :

- renew from netscaler

- export the certificate from netscaler

- import in our two storefront VMs

 

I try to renew from one storefront but i can't export the private key from IIS.

 

Could anybody help me please ????

 

 



Carl Stalhood CTP Member

Carl Stalhood
  • 12,277 posts

Posted 19 March 2017 - 11:31 AM

How are you creating the certificate? In IIS, if you go to Server > Server Certificates, create a Certificate Request, get it signed, then Complete the request, it should be exportable.

 

http://www.carlstalhood.com/storefront-3-5-basic-configuration/#sslcert



Frederic gallard Members

Frederic gallard
  • 3 posts

Posted 19 March 2017 - 08:40 PM

Thanks for answer

 

I have created a new certificate request in IIS with Server > Server Certificates, create a Certificate Request.

 

Then i've saved the file and used certsrv utility to 'submit a new request'. I've choosed the file and i've immediately the following message : 'Request does not contain a certificate template extension...'

 

I'm searching for a rope :(



Paul Blitz Members

Paul Blitz
  • 4,004 posts

Posted 20 March 2017 - 11:10 AM

Just use the "Certificate wizard".

 

The wizard has 4 steps:

- create a private key file

- create a CSR file

- Create a certificate file by signing the CSR

- create a Cert-Key object, that points to the Key and Cert.



Frederic gallard Members

Frederic gallard
  • 3 posts

Posted 20 March 2017 - 11:23 AM

I can't find any Certificate wizard.

 

where is it ? In the netscaler vx10 or in IIS storefront ?

 

Thanks



Shalu Verma Citrix Employees

Shalu Verma
  • 37 posts

Posted 20 March 2017 - 01:11 PM

Hi Frederic,

 

You have to look into the NetScaler for Certificate wizard . Go to NetScaler --Traffic Management --SSL -- Certificates.For your reference you can follow these articles.

 

https://support.citrix.com/article/CTX205290

 

https://support.citrix.com/article/CTX121617

 

https://support.citrix.com/article/CTX109711

 

https://support.citrix.com/article/CTX137073

 

 Please ignore if you have already taken a look at these.



sagar Phadatare Members

sagar Phadatare
  • 64 posts

Posted 20 March 2017 - 01:36 PM

I have already created one Self Signed Certificate, Now I want one more self signed certificate for VIP.

When I create CSR, Key and Certificate it work fine. But when I create Object (certkey) reffering to recently creating certificate and Key it gives me below error:

 

> add ssl certKey ns-mgmt-certificate -cert ns-mgmt.cer -key ns-mgmt-2048.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
ERROR: Resource already exists [certkeyName Contents, OuterPing]
 

OuterPing is my previous self signed certificate.



Shalu Verma Citrix Employees

Shalu Verma
  • 37 posts

Posted 20 March 2017 - 01:48 PM

Hi Sagar,

 

If I understand you correctly you are using existing name to create a different certificate.

 

As far as I know you cannot create two certificate with same name. name should be unique.

 

You may follow this article https://support.citrix.com/article/CTX117284. It might help you.



sagar Phadatare Members

sagar Phadatare
  • 64 posts

Posted 21 March 2017 - 05:32 AM

Hi Shalu,

 

Obviously, names are different still I am unable to create certificate.



Shalu Verma Citrix Employees
  • #10

Shalu Verma
  • 37 posts

Posted 21 March 2017 - 12:13 PM

Hi Sagar,

 

Could you please check serial numbers  as we cannot install two certificates with the same serial number from the same certification authority.so you must install certificates with the unique serial number from the same certification authority. Each certification authority maintains a list of unique serial numbers for the certificates it has issued.

 

Check with the below command:

 

openssl x509 -in /nsconfig/ssl/<cert_name>.crt -text -noout | grep Serial

 

While searching I also found this link

http://discussions.citrix.com/topic/331040-ssl-update-resource-already-exists/

 

It might help you.

Please ignore if already have a look at these.



Paul Blitz Members
  • #11

Paul Blitz
  • 4,004 posts

Posted 27 March 2017 - 09:45 AM

If you are using the Netscaler certificate Wizard to create a certificate for use elsewhere, then simply skip the last step (create CertKey), then take the key and cert files off netscaler and import them into the windows server.

 

If you want to use a PKCS12 format cert on the windows machine, there's an "Export PKCS#12" option on the Netscaler's SSL menu... run this after creating the key & cert with the wizard