Monday, July 21, 2008

Create and Self-Sign Certs on the Netscaler Application Switch

#Create CA
create ssl rsakey ops-ca.key 1024
create ssl certreq ops-ca.csr -keyfile ops-ca.key
create ssl cert ops-ca.crt ops-ca.csr ROOT_CERT -keyfile ops-ca.key

shell
echo '01' > ops-ca-serial.srl
exit

#Create a Server cert for the NetScaler (for testing, if required)
create ssl rsakey ops-vip.key 1024
create ssl certreq ops-vip.csr -keyfile ops-vip.key
create ssl cert ops-vip.crt ops-vip.csr SRVR_CERT -CAcert ops-ca.crt -CAkey ops-ca.key -CAserial serial.srl

#create key and csr on the apache web servers
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out opswebserver_01.csr

#copy the csr back to the netscaler

#sign csr's from the web servers with the CA created on the netscaler
create ssl cert /nsconfig/ssl/opswebserver_01.crt /nsconfig/ssl/opswebserver_01.csr SRVR_CERT -CAcert /nsconfig/ssl/ops-ca.crt -CAkey /nsconfig/ssl/ops-ca.key -CAserial /nsconfig/ssl/ops-ca-serial.srl

#copy the crt back to the apache server and put it in the appropriate place and edit ssl.conf

#add the in-memory cert object that holds the SSL server certificate information for SSL handshakes
add ssl certkey ops-certkey -cert ops-vip.crt -key ops-vip.key

#bind the certkey to a vserver
bind ssl certkey Ops_VIP ops-vip.key [ -vserver | -service ]

#dont forget to copy all files in /nsconfig/ssl to the second netscaler


Final Key
#create new csr
create ssl certreq opsportal.someurl.com.csr -keyfile opsportal.someurl.com.key

#copy key file to second netscaler
#passphrase: xxxxx
#Submit csr to verisign
#Copy verisign cert into text file
#Copy cert file to both netscalers

#Create certkey on netscaler
add ssl certKey portal.cert -cert ops-portal.someurl.com.crt -key opsportal.someurl.com.key

#add Verisign intermediate cert
add ssl certkey vrisgn.intmed.cert -cert /nsconfig/ssl/verisign.intermediate.cert.crt

#link intermediate cert to portal-certkey
link ssl certkey portal.cert vrisgn.intmed.cert

#bind certkey to vserver
bind ssl certkey ops_vip opsportal.someurl.com.key -vserver

No comments: