Free SSL Certificates with Let’s Encrypt and NetScaler

Share Button

While working with Citrix NetScaler appliances i am requesting new public signed certificates every so often. However sometimes you might want to test your configuration first before buying the certificates. One way of doing this is with selfsigned certificates, another is with a free SSL service like Let’s Encrypt.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
It is a service provided by the Internet Security Research Group (ISRG).

They provide certificates with a lifetime of 90 days and renewing a certificate is done within a couple of minutes, which is perfect for testing, a homelab or small environments.

In this blog article i will explain:

  • How to install and configure a Linux appliance for use with Let’s Encrypt
  • How to configure your NetScaler with a responder policy for domain validation
  • How to request and export the Certificates from the Linux appliance and import them onto your NetScaler
  • And Finally how to bind them to your a NetScaler Virtual Server

As i wanted to setup the configuration with a low footprint on my environment i decided to install the Linux appliance based on CentOS 7 minimal edition, which you can find at https://www.centos.org/download/

Install CentOS

Welcome to CentOS Linux 7

 

Installation Summary

 

Select Installation Destination and select the disk

 

Select Network & Hostname and configure your Network

 

Next Begin Installation and set a ROOT Password

 

Finish Installation and Reboot

Once Rebooted you can connect with an SSH Client to the configured IP address

 

 

Install Let’s Encrypt

Login as root and the password you set earlier:

 

First we are going to enable the EPEL repository

sudo yum install epel-release

 

Now we can install Certbot which contains the components for Let’s Encrypt

sudo yum install certbot

If the installation succeeded you are ready to configure your NetScaler

 

 

Configure NetScaler Responder Policy

Login to your NetScaler and go to AppExpert > Responder > HTML Page Imports

Create a HTML page

Name: HTML_LetsEncrypt
Import From: Text
Text Field: ***  TEST  ***

 

Next go to Responder Actions > ADD

Name: ACT_LetsEncrypt
Type: Respond with HTML Page
HTML Page: HTML_LetsEncrypt
Response Status Code: 200

 

Next go to Responder Policies > ADD

Name: RESP_LetsEncrypt
Action: ACT_LetsEncrypt
Expression: true

 

Now that we have a Responder Policy Created we can bind it to a Content Switch

Go to Traffic Management > Content Swiching

Select Virtual Servers > ADD

Name: CS_LetsEncrypt
Protocol: HTTP
IP Address: one that is accesible from the internet through Firewall or otherwise

 

Select Policies from the Right Side and add the Responder Policy

Select the responder policy RESP_LetsEncrypt and select BIND

 

Finally Select Done to create the Content Switch

 

In the above steps we have created a responder policy and bound it to a new Content Switching Virtual Server.
Before requesting a certificate, validate that the website is reachable from the internet, this should show the content of the HTML page we created.

 

Request a Certificate

Now that you confirmed that the reponder policy is working we can request a certificate from the Linux appliance.

certbot certonly –manual –email info@MvanWilligen.com -d CERT.MvanWilligen.com –rsa-key-size 2048

 

Agree on the Terms of Service

 

When you have accepted the above you get the “Press ENTER to continue”…However before doing so we need to copy the marked string and place it in the HTML Page that we created with the reponder Policy.

 

Again you can confirm this by opening the website

When requesting the certificate Let’s Encrypt will first validate that website by checking the string value.

Finally  we can press Enter to continue

When the certificate request had been validated, you will see a Congratulations! 🙂

Next browse to /etc/letsencrypt/live/cert.yourdomain.com/

Here we find the following files:

cert.pem > Server Certificate
chain.pem > Root and Intermediate Certificates
fullchain.pem > Server and chain Certificates
privkey.pem > Private Key for Server Certificate

As a last step we need to change the format of the Server Certificate and private key to have it imported on the NetScaler.
For this we use OpenSSL:

openssl rsa -outform der -in privkey.pem -out privkey.key
openssl x509 -outform der -in cert.pem -out cert.cer

Finally we copy the files over to the NetScaler, which we can do directly with SCP

scp /etc/letsencrypt/live/cert.mvanwilligen.com/* nsroot@10.2.2.25:/nsconfig/ssl

Or through an FTP Program like WinSCP

Once this has been done, you can safely switch off the Linux appliance and disable the content switch untill the next certificate request.

 

 

Install Certificate on NetScaler

Go to Traffic Management > SSL > SSL Certificate > CA Certificates

 

Next go to Traffic Management > SSL > SSL Certificate > Server Certificates

 

 

Finally Link the Server certificate to the CA Certificate

 

Finally the certificate is ready and can be bound to your vServer

When you have to renew your certificates or want to request new ones you only have to repeat the steps:

  • Request a Certificate
  • Install Certificate on Netscaler

 

Thank you for reading and feel free to leave a commment.

Share Button

Martijn van Willigen

Martijn van Willigen works a Technical Consultant at Detron. With a focus on Citrix NetScaler, XenApp, XenDesktop, XenMobile, ShareFile, Cloudplatform, XenServer, VMware ESX, RES Software and Cisco.

Leave a Reply

Your email address will not be published. Required fields are marked *