OpenSSL Commands to Convert SSL Certificates

OpenSSL Commands to Convert SSL Certificates on Your Machine

It is highly recommended that you convert to and from .pfx files on your own machine using OpenSSL so you can keep the private key there. Use the following OpenSSL commands to convert SSL certificate to different formats on your own machine:

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

ERROR: Certificate and private key do not match

Symptoms

When trying to install a Certificate-Key Pair (certificate and private key) on a NetScaler appliance, the following error message appears:

“Certificate and private key do not match”

Cause

The private key is not the same file used to create the certificate signing request for that particular certificate.

Resolution

Verify the modulus of the private key, certificate request, and Certificate, and validate if the files are truly a match by issuing the following CLI commands:

Certificate:
openssl x509 -in certfile_name -noout –modulus

Private Key:
openssl rsa -in key_file_name -noout -modulus

Certificate Signing Request:
openssl req -in csr_file_name -noout -modulus

Sample Output of matching files:

*Certificate*

root@ns# openssl x509 -in example.com.cer -noout -modulus

Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327

*Private Key*

root@ns# openssl rsa -in example.com.key -noout -modulus

Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327

*Certificate Signing Request*

root@ns# openssl req -in example.com.csr -noout -modulus

Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327

Notice how the Modulus field is a perfect match on the three files.

To resolve this issue, attempt the installation of the Certificate-Key Pair using matching private key and certificate files.

If the private key is no longer accessible, generate a new private key and certificate signing request files on the NetScaler and request a new certificated from your Certificate Authority.

NetScaler Password Recovery Procedure

Summary

This document contains information about recovering the password of the NetScaler appliance.

Recovering the Password for a NetScaler Appliance

At times, you might need to recover the password for a NetScaler appliance if the user of the appliance has forgotten the same. To recover the password for the NetScaler appliance, complete the following procedure:

Note: Refer to the transcript in the More Information section for the complete list of the various commands run on the appliance and the respective output.

Attach a console cable to the Serial Console (9600 baud, 8 bits, 1 stop bit, No parity) of the NetScaler appliance.
Restart the NetScaler appliance.
Press any of the following keys, as prompted:
Press Spacebar when the following message is displayed:

Hit [Enter] to boot immediately, or any other key for command prompt Booting [kernel] in 10 seconds Press Ctrl and C keys simultaneously when the following message is displayed: Press [Ctrl-C] for command prompt, or any other key to boot immediately. Booting [kernel] in 2 seconds...

To start the appliance kernel on a single user mode, enter the following command:

boot –s
Note: If boot -s does not work, then try reboot -- -s and appliance will reboot in single user mode.

Press Enter when the following message is displayed:

Enter full pathname of shell or RETURN for /bin/sh:
Note: Notice that the prompt of the appliance changes to \u@\h\$.

Run the following command to check the disk consistency:

\u@\h\$ /sbin/fsck /dev/ad0s1a
Note: Refer to the Knowledge Center article CTX121853 – Device Names Assigned to Hard Disk in Various Models of the Citrix NetScaler Appliance to verify the device name assigned to the hard disk of the appliance model and replace ad0s1a in the preceding command with the appropriate device name.

Run the following command to display the mounted partitions:

df

Run the following command to mount the flash drive:

\u@\h\$ /sbin/mount /dev/ad0s1a /flash
If the preceding command fails to mount the flash drive, then run the following command to create the flash directory and then run the preceding command again to mount the drive:
\u@\h\$ mkdir /flash

Run the following command to change to the nsconfig directory:

\u@\h\$ cd /flash/nsconfig

Run the following set of commands to rewrite the ns.conf file and remove the set of system commands defaulting to the nsroot user:
a. Run the following command to create a new configuration file that does not have commands defaulting to the nsroot user:
\u@\h\$ grep –v “set system user nsroot” ns.conf > new.conf
b. Run a command similar to the following command to make a backup of the existing configuration file:
\u@\h\$ mv ns.conf old.ns.conf
c. Run the following command to rename the new.conf file to ns.conf:
\u@\h\$ mv new.conf ns.conf
Run the following command to restart the appliance:

reboot

Log in to the appliance by using the default nsroot user credentials.
Run the following command to reset the nsroot user password of your choice:

> set system user nsroot

More Information

The following is a transcript of the complete procedure to recover the password of the NetScaler appliance:

Console: serial port
BIOS drive C: is disk0
BIOS drive D: is disk1
BIOS 637kB/1046500kB available memory

FreeBSD/i386 bootstrap loader, Revision 0.8
(murray@builder.FreeBSD.org, Tue Sep 18 10:05:43 PDT 2001)
Loading /boot/defaults/loader.conf
ns-6.1-86.1 text=0x4b6260 data=0x64908d0+0x5b50f4


Hit [Enter] to boot immediately, or any other key for command prompt.

Booting [kernel] in 2 seconds...

Type '?' for a list of commands, 'help' for more detailed help.
ok boot –s

Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.9-NETSCALER-6.1 #0: Tue Dec 6 00:52:06 PST 2005
build@amber.netscaler.com:/usr/obj/usr/home/build/rs_61/usr.src/sys/NETSCALER
Calibrating clock(s) ...



Mounting root from ufs:/dev/md0c
da0 at ahc0 bus 0 target 0 lun 0
da0: Fixed Direct Access SCSI-3 device
da0: Serial Number 3JA9380Z00007453SCPE
da0: 160.000MB/s transfers (80.000MHz, offset 63, 16bit), Tagged Queueing Enabled
da0: 35003MB (71687372 512 byte sectors: 255H 63S/T 4462C)
md0: invalid primary partition table: no magic
start_init: trying /sbin/init
Enter full pathname of shell or RETURN for /bin/sh:
\u@\h\$
\u@\h\$ /sbin/fsck /dev/ad0s1a
ad0s1: type 0xa5, start 32, end = 500735, size 500704 : OK
** /dev/ad0s1a
** Last Mounted on /flash
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
7594 files, 178477 used, 64114 free (7250 frags, 7108 blocks, 3.0% fragmentation)

***** FILE SYSTEM MARKED CLEAN *****
\u@\h\$ /sbin/mount /dev/ad0s1a /flash
ad0s1: type 0xa5, start 32, end = 500735, size 500704 : OK
\u@\h\$ cd /flash/nsconfig
\u@\h\$ df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0c 100750 86088 12648 87% /
/dev/ad0s1a 242591 178477 44707 80% /flash
\u@\h\$ grep -v "set system user nsroot" ns.conf > new.conf
\u@\h\$ mv ns.conf old.ns.conf
\u@\h\$ mv new.conf ns.conf
\u@\h\$ reboot
Waiting (max 60 seconds) for system process `vnlru' to stop...stopped
Waiting (max 60 seconds) for system process `bufdaemon' to stop...stopped
Waiting (max 60 seconds) for system process `syncer' to stop...stopped

syncing disks...
done
Uptime: 17m53s
Rebooting...


Hit [Enter] to boot immediately, or any other key for command prompt.

Booting [kernel] in 2 seconds...
Booting [kernel] in 1 second...
Booting [kernel]...



Feb 28 20:15:40 10.178.35.81 02/28/2006:20:15:35 GMT ns : EVENT STATECHANGE : Device "self node 10.178.35.81" - State UP

nssyslog nsvpnlog daemon

nsconmsg:Netscaler Syslog Daemon Starting....

nsconmsg:Netscaler Syslog Daemon Starting....

Displaying accesslogs information
Performance Data Record Version 2.0
Started
Feb 28 20:15:52 ns netscaler: self node 10.178.35.81: UP

login: nsroot
Password:
Last login: Tue Feb 28 13:33:47 from 10.153.38.125
Done

Generate and Install self signed SSL for New VIP on Netscaler

Create Self-sign SSl certificate:-
======================

1) create ssl rsakey /nsconfig/ssl/test-ca.key 1024
2) create ssl certreq /nsconfig/ssl/test-ca.csr ?keyFile /nsconfig/ssl/test-ca.key

Here we need to fill up the following details
Country Name (2 letter ISO code) ---XX
State or Province Name (full name) ----xxxxx
Locality Name (eg, city) -----xxxxx
Organization Name (eg, company)---- xxxxx
Organization Unit Name (eg, section) :
Common Name (eg, Domain Name) -----xxxxx
Email Address :----
Once we create the certificate signing request

3) create ssl cert /nsconfig/ssl/test-ca.cer /nsconfig/ssl/test-ca.csr ROOT_CERT -keyfile /nsconfig/ssl/test-ca.key

4) create ssl rsakey /nsconfig/ssl/test-server.key 1024

5) create ssl certreq /nsconfig/ssl/test-server.csr keyFile /nsconfig/ssl/test-server.key

Here we need to fill up the following details
Country Name (2 letter ISO code) ---XX
State or Province Name (full name) ----xxxxx
Locality Name (eg, city) -----xxxxx
Organization Name (eg, company)---- xxxxx
Organization Unit Name (eg, section) :
Common Name (eg, Domain Name) -----xxxxx
Email Address :----
Once we create the certificate signing request


6) shell
root@ns# echo '01' GT /nsconfig/ssl/serial.txt
root@ns# exit
logout

7) create ssl cert /nsconfig/ssl/test-server.cer /nsconfig/ssl/test-server.csr SRVR_CERT -CAcert /nsconfig/ssl/test-ca.cer -CAkey /nsconfig/ssl/test-ca.key -CAserial /nsconfig/ssl/serial.txt

8) add ssl certkey test-certkey -cert /nsconfig/ssl/test-server.cer -key /nsconfig/ssl/test-server.key

9) bind ssl vserver -certkeyName test-certkey

How to use ISO image on SPLAT instead of a CD for upgrade

In some cases it is easier to use ISO image file instead of an actual CD to upgrade SPLAT device. There are several reasons for that: no physical access to your server, upgrading SMART-1 or any other appliance where CDROM is not installed, etc. 

Remember, you only need a CD for major upgrade, such as going from R65 to R70.

Let's see how it is done.

First, check if you have enough space on the hard drive. Use  df -h command to see where you have enough space. Mind some extra for upgrade operations.

Then create a folder to put ISO file. The best place is  /var partition. Run the mkdir /var/temp/"your ISO folder". Transfer your CD image there.

Now it is time to mount it. Run  mount -t iso9660 -o loop /var/temp/"your ISO folder"/"your ISO file".iso /mnt/cdrom.

Check it is mounted OK with   ls /mnt/cdrom.

Now you can run   patch add cd and do the upgrade. Good luck.

Just one last note. You may not want to use snapshot during the upgrade procedure. If you absolutely need to make a snapshot, do it before transferring ISO and mounting it. Do not forget to save it on an external server.