Sunteți pe pagina 1din 5

Generating a Self-Signed Certificate

The NetScaler appliance has a built in CA tools suite that you can use to create self-signed certificates for testing purposes. Caution: Because these certificates are signed by the NetScaler itself, not by an actual CA, you should not use them in a production environment. If you attempt to use a self-signed certificate in a production environment, users will receive a "certificate invalid" warning each time the virtual server is accessed. The NetScaler supports creation of the following types of certificates

Root-CA certificates Intermediate-CA certificates End-user certificates o server certificates o client certificates

Before generating a certificate, create a private key and use that to create a certificate signing request (CSR) on the appliance. Then, instead of sending the CSR out to a CA, use the NetScaler CA Tools to generate a certificate. For details on how to create a private key and a CSR, see Obtaining a Certificate from a Certificate Authority.

To create a certificate by using a wizard


1. In the navigation pane, click SSL. 2. In the details pane, under Getting Started, select the wizard for the type of certificate that you want to create. 3. Follow the instructions on the screen. For more information about specific parameters, see Parameters for creating a self-signed certificate.

Parameters for creating a self-signed certificate


certFile (Certificate File Name) The name of the generated certificate file. The newly created certificate file is stored by default in the /nsconfig/ssl/ directory. reqFile (Certificate Request File Name) The certificate signing request (CSR) file that is used to generate the certificate. certType (Certificate Type)

The type of the certificate being created. You can create a Root Certificate, an Intermediate Certificate, a Client Certificate or a Server Certificate. Select one of the following options

ROOT_CERT: Specifies a self-signed Root-CA certificate. If you choose this setting, you must also set the -keyFile parameter. The generated Root-CA certificate can be used for signing end-user certificates (Client/Server) or to create Intermediate-CA certificates. INTM_CERT: Specifies an Intermediate-CA certificate. CLNT_CERT: Specifies an end-user client certificate that is used for client authentication. SRVR_CERT: Specifies an SSL server certificate to be used on physical SSL servers for an SSL backend-encryption setup.

The parameters CAcert, CAkey, and CAserial, are mandatory when creating an intermediate, client, or server certificate. keyFile (Key File Name) The private key used to create the certificate. You can either use an existing RSA or DSA key that you own or create a new private key on the NetScaler. This file is required only when creating a self-signed Root-CA certificate. The key file is stored in the /nsconfig/ssl directory by default. Note: If the input key specified is an encrypted key, the user will be prompted to enter the PEM pass-phrase that was used for encrypting the key. keyform (Key Format) The file format in which the private key is stored. Possible values: PEM, DER. Default: PEM. days (Validity Period ) The number of days for which the created certificate will be valid. The certificate is valid from the time and day (system time) of its creation to the number of days specified in this field. Minimum value: 1. Maximum value: 3650. Default: 365 days. certForm (Certificate Format) The format in which to save the certificate. Possible values: PEM, DER. Default: PEM. CAcert (CA Certificate File Name) The CA certificate file that will issue and sign the Intermediate-CA certificate or the enduser certificates (Client/Server). The default input path for the CA certificate file is /nsconfig/ssl/. CAcertForm (CA Certificate File Format) The format in which to store the CA certificate. Possible values: PEM, DER. Default: PEM. CAkey (CA Key File Name) The private key associated with the CA certificate that is used to sign the IntermediateCA certificate or the end-user certificates (Client/Server). If the CA key file is password

protected, the user will be prompted to enter the pass-phrase used when encrypting the key. CAkeyForm (CA Key File Format) The file format in which the private key of the CA certificate is stored. Possible values: PEM, DER. Default: PEM. CAserial (CA Serial Number File) The serial number file maintained for the CA certificate. The file will contain the serial number of the next certificate to be issued/signed by the CA (-CAcert). If the specified file does not exist, a new file will be created. The NetScaler stores the newly generated file in the /nsconfig/ssl/ directory by default. Note: Specify the proper path of the existing serial file. Otherwise, a new serial file will be created, and that can change the certificate serial numbers assigned by the CA certificate to each of the certificate it signs.

To create a Root-CA certificate by using the configuration utility


1. In the navigation pane, click SSL. 2. Under SSL Certificates, click Create Certificate. 3. In the Create Certificate dialog box, specify values for the following parameters, which correspond to parameters described in Parameters for creating a self-signed certificate? as shown:

o o o o o o o o

Certificate File Name* Certificate Format Certificate Type Certificate Request File Name* Key File Name* Key Format PEM Passphrase (For Encrypted Key)If the key is encrypted, you are prompted to enter the password at run-time on the CLI. Validity Period (Number of Days)

* A required parameter Note: Instead of typing the file name, you can use the browse button to launch the NetScaler file browser and select the file. 4. Click Create, and then click Close. The Root-CA certificate you created is saved on the NetScaler.

To create an Intermediate-CA certificate or end-user certificate by using the configuration utility


1. In the navigation pane, click SSL. 2. Under SSL Certificates, click Create Certificate. 3. In the Create Certificate dialog box, specify values for the following parameters, which correspond to parameters described in Parameters for creating a self-signed certificate? as shown: o Certificate File Name* o Certificate Format o Certificate Type o Certificate Request File Name* o PEM Passphrase (For Encrypted Key)If the key is encrypted, you are prompted to enter the password at run-time on the CLI. o Validity Period (Number of Days) o CA Certificate File Name* o CA Certificate File Format o CA Key File Name*CAkey o CA Key File Format o PEM Passphrase (For Encrypted CA Key) o CA Serial Number File* * A required parameter Note: Instead of typing the file name, you can use the browse button to launch the NetScaler file browser and select the file. 4. Click Create, and then click Close. The Intermediate-CA certificate you created is saved on the NetScaler.

Generating a Diffie-Hellman (DH) Key


The Diffie-Hellman (DH) key exchange is a way for two parties involved in an SSL transaction that have no prior knowledge of each other to agree upon a shared secret over an insecure channel. This secret can then be converted into cryptographic keying material for mainly symmetric key cipher algorithms that require such a key exchange. This feature is disabled by default and should be specifically configured to support ciphers that use DH as the key exchange algorithm. Note: Generating a 2048-bit DH key may take a long time (up to 30 minutes).

Parameters for creating a DH Key


dhFile (DH File Name)

The name of the DH key that is created. The DH key is stored in the /nsconfig/ssl directory on the appliance by default. bits (DH Parameter Size) The size in bits of the DH key being generated. gen (DH Generator) The random number required for generating the DH key. This is required as part of the DH key generation algorithm. Possible Values: 2, 5. Default Value: 2

To generate a DH key by using the configuration utility


1. In the navigation pane, click SSL. 2. Under Tools, click Create Diffe-Hellman (DH) Key. 3. In the Create DH Param dialog box, specify values for the following parameters, which correspond to parameters described in Parameters for creating a DH Key? as shown: o DH File Name (with path)* o DH Parameter Size (Bits)* o DH Generator * A required parameter 4. Click OK.

S-ar putea să vă placă și