Part 1 – Generating Private Keys and Certificate Signing Requests (CSR).
I recently had to do this in my home lab after rebuilding my Citrix ADC. This is a simple, straight forward walk through to assist anyone doing the same.
1. Generate a Private Key
First thing’s first – in order to generate a Certificate Signing Request (CSR), we need to generate a “Private Key” that will be paired with the certificate. (The Certificate will be issued by the CA as we go through this process).
Login to your ADC management portal and navigate to “Configuration > Traffic Management > SSL > SSL Files. Click Keys, then click “Create RSA Key”
- Choose a name for the RSA Key
- Enter 2048 for the Key Bit size (This could be more, but not less)
- Leave Public Exponent Value as F4
- Leave Key Format as PEM
- Leave PEM Encoding Algorithm, PEM Passphrase and Confirm PEM Passphrase blank. (The Private Key encryption feature is now obsolete).
- When you’re happy, click create.
2. Generate CSR on the ADC
Next we have to generate the Certificate Signing Request (CSR). A CSR is basically encoded text that contains certain information which needs to be included in the certificate, along with the “Public Key”. The CSR is provided to the Certificate Authority (CA) when you request a certificate. The CSR also needs a “Private Key” (which we previously generated), this along with the certificate (when you obtain it from the CA) make up the “key-pair”. Bear in mind that any certificate generated will only work with the “Private Key” that was used for the CSR, if you lose the “Private Key”, the certificate will stop working. The CSR can be generated on the Citrix ADC itself, and here’s how we do this.
Login to your ADC and navigate to “Configuration > Traffic Management > SSL > SSL Files. Click CSR, then click “Create certificate signing request”
- Enter a new name for the Request File in the Request File field.
- For the Key File name field, Click “Choose File > Appliance” and choose the RSA Key you generated in the previous step (name_rsa_key)
- Leave Key Format as PEM
- Leave Key Passphrase blank (We didn’t encrypt the key with a passphrase in the previous step)
- Leave Digest Method as SHA1
- Leave Subject Alternat Name as blank
- When you’re happy, click create
- Choose a common name, i.e. gateway.domain.com (
- Enter the organization name, organizational Unit, Email Address, City, State or Province, Country details.
- Leave both the Challenge Password, and Company Name fields blank, these are now obsolete and not required.
Once the CSR is generated you will see it listed in the CSR list (see below).
3. View the CSR on the ADC
Hover over the CSR you created and click the (…) button (see below)
Choose “View” from the context menu to view the generated CSR code (see below).
You can now use this generated CSR code to activate the SSL Certificate with your CA. (Refer to your CA instructions on activating SSL Certificates, as CA processes differ from CA to CA).
Once you have successfully activated and downloaded your SSL Certificate, continue to Part 2 of this blog post.