This is the documentation applies to a Citrix Netscaler running firmware version 9.3 and assumes that SHA1 Wildcard Certificates with multiple SAN names are being used. The type of certificate type can be determined by working with your 3rd party certificate vendor. In this case example, Digicert was used.

Generate an RSA Key

1)  Sign in to your Netscaler
2)  Expand SSL on the left
3)  Click Create RSA Key under “SSL Keys”

RSA

4)  Fill in a Key File Name and make a note of this name
5)  Key Size 2048
6)  Select the options as shown in the screen shot above
7)  Enter a password and make a note of this as well
8)  Click Create

Generate a CSR

Citrix recommends that the CSR for multi SAN certs be generated through the CLI (command line interface such as Putty); however, after some testing it appears that on the Netscaler 7500 v 9.3 this will not work properly.  See CTX135602 if you have a different model or firmware version applied and then skip the instructions in this article for “Generate a CSR”.

1)  Login to your Netscaler
2)  Expand SSL
3)  Under SSL Certificates click on “Create CSR”
4)  Provide your request file name
5)  Then browse to the RSA key in the “Key File Name” section
6)  Choose PEM key format
7)  Fill in Common name for the certificate, City, Organization Name, Country, State and Organization Unit
8)  Click Create

csr

Obtain the Certificate

1)  After clicking create the following screen will appear
2)  Copy and paste the CSR information and provide it to your certificate vendor in order to get a certificate. This process will vary depending on your organization and the certificate company used to purchase certificates through

cert

Upload, Install and Link the Certificate

Once the certificate has been downloaded from the vendor’s website the certificate will need to be uploaded to the Netscaler.

1)  Go to SSL
2)  Under Tools choose Manage Certificates/Keys/CSRs

cert2

Install the Certificate

1)  Choose SSL, then Certificates and then click Install
2)  Browse to the Certificate File Name
3)  Browse to the Private Key
4)  Enter the password used to create the private key above

install

5)  Click Install and the certificate will be added to the certificate list on the Netscaler

Verify Certificate Links and Configure the Netscaler to use the New Certificate

Read before proceeding: If any interruptions of services require a downtime in your organization do not proceed until a planned work window has been arranged

1)  Within the Netscaler verify your certificate links
Note: If you are using the same certificate vendor and same certificate type as the last time this was done in your organization then this will not need to be changed.
2)  Select your intermediate certificate and choose Link from the bottom of the screen

install2

3)  Verify that the Intermediate Certificate is linked to the root certificate
4)  Then select your newly added certificate
5)  Choose Link and select the Intermediate certificate
Note: When complete the certificate links will look similar to what is shown below

install3

Apply the Certificate to your Virtual Servers

1)  Next apply the new certificate to the virtual server(s) that will use the certificate
2)  Within the Netscaler go to Access Gateway and thenVirtual servers
3)  Select the Virtual Server, right-click and choose Open

install4

4)  Select the new certificate and click “Add”

install5

5)  Select the old certificate and click “Remove”
6)  Click OK
7)  Choose Save in the upper right hand corner of the screen to save the configuration
8)  Test and verify that the new certificate is functional
9)  Remove the old expired certificates from Netscaler, SSL Certificates
10)  Choose remove at the bottom of the screen

Note: It is ok to leave the old certificates until you are certain the new certificates are functional for everyone. A reason to leave this in place would be for an unexpected need to roll back to the old certificate before it expires.

11)  Choose Save in the upper right hand corner of the screen to save the configuration
12)  Test and verify that the new certificate is functional