Every now and then it’s necessary to actually look into a SSL stream between client and NetScaler to inspect what’s actually happening. I struggled with this topic quite a bit, and documentation (eg. From Citrix) is not always complete. I will not pretend this document covers all, but I had some good successes decrypting traces with the following procedure. If you have any additions please let me know, and I will be happy to add them to this post.
Posts Categorized: Openssl
I had to create a SAN cert. If you google you will find a lot of articles telling you to modify your openssl.cfg . You can also do it with a command. I put some special characters in the command because they need to be escaped. You can see below how:
req -newkey rsa:2048 -keyout new_private.key -sha256 -subj "/C=NL/ST=Noord-Holland/L=\'s\-Hertogenbosch/O=Your Organization/OU=I\&CT/CN=common_name.nl/subjectAltName=DNS.1=alternate_name" -out new_certificate_request.csr
You can specify more alternate names by adding more entries:
Momentarily I’m working a lot with NetScaler and SHA256 certificates. I noticed that with the change to SHA256 certs the NetScaler has some difficulties importing. The error you get is: Invalid private key, or PEM pass phrase required for this private key.
Decrypting a private key
At this moment I’m using this command a lot so I thought it would come in handy to write a seperate article about it (easier to find). The command you use to convert a private key to PEM format is……..
In some cases it’s necessary to create a pfx file which contains the root and intermediate certificates. We have an application that will not accept the certificate without the certificate chain in there. So here’s how to make that work.
A little article about Certificate requesting and processing with OpenSSL.
I got this error trying to generate a .pfx file from a newly received certificate. The error scared me a little cause I was absolutely sure I tried to match the correct private key with the certificate.
This seems to be an ongoing issue with OpenSSL. The RANDFILE variable is ignored.
Just add it with the next command:
You need to add the variable with each new command prompt, or add it to the machine variables once and restart your machine.
In this article I’m going to show you the commands you need to convert your .PFX Certificate file to a seperate certificate and keyfile. This article can come in handy when you need to import your certificates on devices like Cisco routers/loadbalancers etc. where you probably need to import the certificates and keyfiles in plain text (unencrypted). My tool of choice (but there might be others) is OpenSSL for Windows, which can be downloaded here
Howto create a PFX File
In this topic I hope to give a little information about certificates, PFX files and how to export them into other formats. A lot of applications require a certificate in some format (encrypted or not) to encrypt their datastream. In this topic I’m going to to cover how to create a PFX file. A PFX file is an encrypted file that contains both your public and your private key, and is password protected. I’m not going to cover how pki works, but just click this link or use Google and you’ll find all the information you need.