While working with Citrix NetScaler appliances i am requesting new public signed certificates every so often. However sometimes you might want to test your configuration first before buying the certificates. One way of doing this is with selfsigned certificates, another is with a free SSL service like Let’s Encrypt.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
It is a service provided by the Internet Security Research Group (ISRG).
They provide certificates with a lifetime of 90 days and renewing a certificate is done within a couple of minutes, which is perfect for testing, a homelab or small environments.
In this blog article i will explain:
- How to install and configure a Linux appliance for use with Let’s Encrypt
- How to configure your NetScaler with a responder policy for domain validation
- How to request and export the Certificates from the Linux appliance and import them onto your NetScaler
- And Finally how to bind them to your a NetScaler Virtual Server
As i wanted to setup the configuration with a low footprint on my environment i decided to install the Linux appliance based on CentOS 7 minimal edition, which you can find at https://www.centos.org/download/
Welcome to CentOS Linux 7
Select Installation Destination and select the disk
Select Network & Hostname and configure your Network
Next Begin Installation and set a ROOT Password
Finish Installation and Reboot
Once Rebooted you can connect with an SSH Client to the configured IP address
Install Let’s Encrypt
Login as root and the password you set earlier:
First we are going to enable the EPEL repository
sudo yum install epel-release
Now we can install Certbot which contains the components for Let’s Encrypt
sudo yum install certbot
If the installation succeeded you are ready to configure your NetScaler
Configure NetScaler Responder Policy
Login to your NetScaler and go to AppExpert > Responder > HTML Page Imports
Create a HTML page
Import From: Text
Text Field: *** TEST ***
Next go to Responder Actions > ADD
Type: Respond with HTML Page
HTML Page: HTML_LetsEncrypt
Response Status Code: 200
Next go to Responder Policies > ADD
Now that we have a Responder Policy Created we can bind it to a Content Switch
Go to Traffic Management > Content Swiching
Select Virtual Servers > ADD
IP Address: one that is accesible from the internet through Firewall or otherwise
Select Policies from the Right Side and add the Responder Policy
Select the responder policy RESP_LetsEncrypt and select BIND
Finally Select Done to create the Content Switch
In the above steps we have created a responder policy and bound it to a new Content Switching Virtual Server.
Before requesting a certificate, validate that the website is reachable from the internet, this should show the content of the HTML page we created.
Request a Certificate
Now that you confirmed that the reponder policy is working we can request a certificate from the Linux appliance.
certbot certonly –manual –email info@MvanWilligen.com -d CERT.MvanWilligen.com –rsa-key-size 2048
Agree on the Terms of Service
When you have accepted the above you get the “Press ENTER to continue”…However before doing so we need to copy the marked string and place it in the HTML Page that we created with the reponder Policy.
Again you can confirm this by opening the website
When requesting the certificate Let’s Encrypt will first validate that website by checking the string value.
Finally we can press Enter to continue
When the certificate request had been validated, you will see a Congratulations! 🙂
Next browse to /etc/letsencrypt/live/cert.yourdomain.com/
Here we find the following files:
cert.pem > Server Certificate
chain.pem > Root and Intermediate Certificates
fullchain.pem > Server and chain Certificates
privkey.pem > Private Key for Server Certificate
As a last step we need to change the format of the Server Certificate and private key to have it imported on the NetScaler.
For this we use OpenSSL:
openssl rsa -outform der -in privkey.pem -out privkey.key
openssl x509 -outform der -in cert.pem -out cert.cer
Finally we copy the files over to the NetScaler, which we can do directly with SCP
scp /etc/letsencrypt/live/cert.mvanwilligen.com/* email@example.com:/nsconfig/ssl
Or through an FTP Program like WinSCP
Once this has been done, you can safely switch off the Linux appliance and disable the content switch untill the next certificate request.
Install Certificate on NetScaler
Go to Traffic Management > SSL > SSL Certificate > CA Certificates
Next go to Traffic Management > SSL > SSL Certificate > Server Certificates
Finally Link the Server certificate to the CA Certificate
Finally the certificate is ready and can be bound to your vServer
When you have to renew your certificates or want to request new ones you only have to repeat the steps:
- Request a Certificate
- Install Certificate on Netscaler
Thank you for reading and feel free to leave a commment.