加拿大华人论坛 美国华人新闻How to Transfer Certificates from IIS to the NetScaler

在加拿大

SummaryThis document describes in detail the procedures necessary for converting existing SSL certificates and keys exported from Microsoft IIS Servers into the format required by NetScaler devices.BackgroundKeys and certificates for Secure Sockets Layer (SSL) acceleration (SSL OFFLOAD) on the NetScaler may be obtained by three methods:•Obtaining a certificate from an authorized Certification Authority (CA)•Using an existing certificate and key•Generating a new key and self-signed certificate on the NetScaler systemNote: The option to use a self-signed certificate presents a security risk and is not recommended for use outside of testing environments.NetScaler systems support two encoding formats for certificates and keys: PEM and DER. If existing certificates and keys are to be used, they must be converted to one of these formats before installation on the NetScaler system.Certificates exported from Microsoft IIS servers permit the storage of more than one certificate in a single file, in the following formats:•PKCS (Public Key Cryptography Standard) #12 (.PFX, .P12)•PKCS #7 (.P7B)Such files may be used to store all certificates in the certification path (between the server certificate and the root CA's certificate, including the certificates of all intermediary CAs). However, NetScaler systems require explicit bindings between certificates and keys, and so do not support the storage of multiple certificates within a single file. In order to use PKCS #7 and PKCS #12 certificates for SSL encryption/decryption on the NetScaler, it is necessary to extract and bind the individual certificates from the existing file.The OpenSSL Project maintains an open source toolkit which implements the SSL v2/v3 and Transport Layer Security (TLS v1) protocols and provides a general cryptography library. The OpenSSL toolkit can be used to convert keys and certificates between formats.ProcedureNote: The following steps may be carried out on the NetScaler device itself (within the BSD shell), or on a UNIX-based system with the OpenSSL toolkit installed.Export the Certificate from IISNote: There are many ways to do this, but this method ensures that the appropriate certificate and private key for the Web site are exported. This procedure must be done on the actual IIS server.1. Open the Internet Information Services (IIS) Manager administration tool.2. Expand the Web Sites node and locate the SSL-enabled Web site you want to serve through the NetScaler.3. Right-click this Web site and click Properties.4. Click the Directory Security tab and in the Secure Communications section of the window, select the View Certificate box.5. Click the Details tab and click Copy to File.6. Click Next on the Welcome to the Certificate Export Wizard page.7. Select Yes, export the private key and click Next.Note: The private key MUST be exported for SSL Offload to work on the NetScaler. If the option to export the private key is unavailable, refer to Microsoft article 232154 – IIS: Export Private Key Option is Grayed When Exporting a Server Certificate.8. Ensure that the Personal Information Exchange –PKCS #12 radio button is selected and select ONLY the Include all certificates in the certification path if possible check box. Click Next.9. Enter a password and click Next.10. Enter a file name and location and click Next. Give the file an extension of .PFX.11. Click Finish.Convert the PKCS#12 certificate and install it on the NetScaler1. Move the exported .PFX certificate file to a location from where it may be copied to the NetScaler (i.e. a machine which permits SSH access to the NetScaler’s management interface). Copy the certificate onto the NetScaler using a secure copy utility such as pscp.2. Accessing the BSD shell, convert the certificate (for example, cert.PFX) to .PEM format: root@ns# openssl pkcs12 -in cert.PFX -out cert.PEM3. Ensure that the converted certificate is in correct x509 format (verify that the following command produces no error): root@ns# openssl x509 -in cert.PEM -text Check that the certificate file contains a private key by issuing the command: root@ns# cat cert.PEM Look at the output (example shown below) and check for a section of the file corresponding to: -----BEGIN RSA PRIVATE KEY----- Mkm^s9KMs9023pz/s... -----END RSA PRIVATE KEY-----The following is the RSA PRIVATE KEY section:Bag Attributes 1.3.6.1.4.1.311.17.2: <No Values> localKeyID: 01 00 00 00 Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider friendlyName: 4b9cef4cc8c9b849ff5c662fd3e0ef7e_76267e3e-6183-4d45-886e-6e067297b38fKey Attributes X509v3 Key Usage: 10-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,43E7ACA5F4423968pZJ2SfsSVqMbRRf6ug37Clua5gY0Wld4frPIxFXyJquUHr31dilW5ta3hbIaQ+Rg... (more random characters)v8dMugeRplkaH2Uwt/mWBk4t71Yv7GeHmcmjafK8H8iW80ooPO3D/ENV8X4U/tlh5eU6ky3WYZ1BTy6thxxLlwAullynVXZEflNLxq1oX+ZYl6djgjE3qg==-----END RSA PRIVATE KEY-----The following is the SERVER CERTIFICATE section:Bag Attributes localKeyID: 01 00 00 00 friendlyName: AG Certificatesubject=/C=AU/ST=NSW/L=Wanniassa/O=Dave Mother Asiapacific/OU=Support/CN=davemother.food.lanissuer=/DC=lan/DC=food/CN=hotdog-----BEGIN CERTIFICATE-----MIIFiTCCBHGgAwIBAgIKCGryDgAAAAAAHzANBgkqhkiG9w0BAQUFADA8MRMwEQYK... (more random characters)5pLDWYVHhLkA1pSxvFjNJHRSIydWHc5ltGyKqIUcBezVaXyel94pNSUYx07NpPV/MY2ovQyQZM8gGe3+lGFum0VHbv/y/gB9HhFesog=-----END CERTIFICATE-----The following is the INTERMEDIATE CA CERTIFICATE section:Bag Attributes: <Empty Attributes>subject=/DC=lan/DC=food/CN=hotdogissuer=/DC=lan/DC=food/CN=hotdog-----BEGIN CERTIFICATE-----MIIESDCCAzCgAwIBAgIQah20fCRYTY9LRXYMIRaKGjANBgkqhkiG9w0BAQUFADA8... (more random characters)Nt0nksawDnbKo86rQcNnY5xUs7c7pj2zxj/IOsgNHUp5W6dDI9pQoqFFaDk=-----END CERTIFICATE-----Further Intermediate CA certificates may follow depending on the certification path of the exported certificate.4. Open the .PEM file in a text editor and extract the following sections: a. Locate the first line in the file: -----END CERTIFICATE----- All contents of the file from the start of the file up to this line should be copied and pasted into a new file. Call this file something intuitive such as cert-key.pem. This is the certificate-key pair for the server hosting the HTTPS service. This file should contain both the sections labeled RSA PRIVATE KEY and SERVER CERTIFICATE in the example above. Be sure that this is the first -----END CERTIFICATE----- appearing in the file. Note: The certificate-key pair file contains the private key and hence must be kept secure. b. Any subsequent sections of the file containing: -----BEGIN CERTIFICATE----- Ums934msJcJ/jnsKjn... -----END CERTIFICATE----- Correspond to certificates of trusted CAs that have been included in the certification path. These sections should be copied and pasted into new individual files for these certificates (the INTERMEDIATE CA CERTIFICATE section of the example above, should be copy/pasted into a new file). For multiple intermediate CA certificates in the original file, create new files for each intermediate CA certificate in the order which they appear in the file. Keep track (using appropriate filenames) of the order in which the certificates appear, as they need to be linked together in the correct order in a later step.5. Copy the key-certificate file (cert-key.pem) and any further CA certificate files into the /nsconfig/ssl directory on the NetScaler.6. Exit the BSD shell and access the NetScaler prompt. Execute the command (on one line): > add ssl certkey <server_certkey_name> -cert cert-key.pem -key cert-key.pem -password <string> Note: The -password <string> parameter is required if the private key was exported with password protection.7. Bind the certkey to the virtual server hosting the SSL service: > bind ssl certkey <vserver_name> <server_certkey_name>8. If there are additional certificates included in the certification path (see step 4b), copy these files to the /nsconfig/ssl directory and execute the commands in the NetScaler prompt (assuming the CA certificate is called CA-1.pem): > add ssl certkey <CA-1_certkey_name> -cert CA-1.pem> link ssl certkey <server_certkey_name> <CA-1_certkey_name> Repeat this step for any further CA certificates - substitute the previously linked certificate in the path for the server certkey. Example: > add ssl certkey <CA-2_certkey_name> -cert CA-2.pem> link ssl certkey <CA-1_certkey_name> <CA-2_certkey_name>9. Test functionality by establishing a HTTPS session to the relevant service with a Web browser. If the browser throws a warning message regarding certificate validity, troubleshoot as a normal certificate issue - for example, check that the Common Name (CN) specified in the certificate matches the Fully Qualified Domain Name (FQDN) used to access the HTTPS site. Such parameters can be checked using the output of the shell command: > openssl x509 -in <certificate file> -textAlternative Procedure to Convert the Certificate and Install on NetScalerAlternatively, you can copy and paste the key and server certificate into separate files, say server-cert.pem and key.pem. Copy these two files into the /nsconfig/ssl directory. Create a certkey on the NetScaler using the separate files using the command (on one line):> add ssl certkey <server_certkey_name> -cert server-cert.pem -key key.pem -password <string>And then bind the certkey to the vserver as in step 8 above. This procedure has the same result, and may be required if there are unexpected characters or line breaks in the PEM file.To Convert a PKCS#7 Certificate:Converting a PKCS #7 Certificate into a format recognisable by the NetScaler may also be done using openssl. The procedure is identical as for PKCS #12 certificates, except that openssl must be invoked with different parameters to convert the PKCS #7 certificate to PEM format. The steps for converting a PKCS #7 certificate are as follows:1. Copy the certificate onto the NetScaler using pscp or similar.2. Convert the certificate (say cert.P7B) to PEM format: > openssl pkcs7 –inform DER –in cert.p7b –print_certs –text –out cert.pem3. Follow steps 3 through 9 the same as for PKCS #12 certificates as described above.Note: Before loading the converted PKCS #7 certificate into the NetScaler, be sure to verify that it contains a private key, exactly as described in step 3 for the PKCS #12 procedure. PKCS #7 certificates, particularly those exported from IIS, do not typically contain a private key.More InformationInstructions for installing the OpenSSL toolkit on an arbitrary system can be found in CTX106627 – How to Install the OpenSSL Toolkit. For more information about OpenSSL, refer to the OpenSSL Web site.More information on exporting certificates from IIS may be found in Microsoft article 232136 – How to back up a server certificate in Internet Information Services 5.0.

  ·生活百科 阳光电源10kW混合逆变器最大输出
·生活百科 古瑞瓦特混合逆变器