Create a self-signed certificate for your web server with PowerShell

Sometimes you may need SSL certificate just for testing your (local) web application. Of course, for public and trusted purposes, you’ll probably use free Let’s Encrypt certificate or something similar (or, of course, any of the paid options).

And this is OK as long as you have publicly resolvable domain name.

But what if you need certificate for, let’s say, “localhost” or “webserver.local”?

Then you’ll probably use your internal PKI infrastructure or a simple self-signed certificate.

Second one can be easily achieved with PowerShell, by using the New-SelfSignedCertificate cmdlet (or with OpenSSL, yes 🙂).

So, let me show you how.

We have a simple IIS setup hosting a single (default) website, responding to http://localhost/:

We’ll issue a new self-signed certificate, make it trusted (important!) and then attach it to our test website, with following:

If everything goes well, we will see another binding created in our IIS console:

And if we open https://localhost/, all should be good as well:

Cheers!

NetScaler, XenMobile and SSL certificates

So, you’ve finally decided to make yourself “a small Citrix lab” (XenMobile and NetScaler), but you’re having trouble with getting all the certificates in place. Fear not, I’m here to help!

Installing the SSL certificates for NetScaler is relatively simple, but still… some steps are easily forgotten and then… you need to troubleshoot. Smile

Steps to install the SSL certificate for NetScaler (correctly) are:

  1. Install the server certificate (for example, certificate for xms.yourdomain.com). The easiest way is to use .PFX certificate file, and you can install it through Traffic Management – SSL – Certificates – Server Certificates.
  2. Install the issuing and root CA’s certificates (.PEM files are OK) through Traffic Management – SSL – Certificates – CA Certificates.
  3. Create link (right click – Link) between the server certificate and issuing CA’s certificate.
  4. Create link (right click – Link) between the issuing CA’s certificate and root CA’s certificate.
  5. Check the certificate links on issuing CA’s certificate (right click – Certificate links). There should be two – one linking the server certificate, another the root certificate.
  6. Select the imported certificate for NetScaler Gateway usage.
  7. Select the imported certificate for (SSL) virtual servers as well. If you’re using NetScaler appliances in HA mode, force synchronization.
  8. Check if certificates are installed properly (for example, by opening the MAM interface with your browser – https://mam.yourdomain.com/ or https://mam.yourdomain.com:8443/).
  9. Check if certificate chain is in order as well – https://www.digicert.com/help/.

For XenMobile Server, there is some preparation work to do, to get it all right. Basically, you’ll need to combine all the (.PEM) certificate files into one, upload that to XenMobile Server, and restart.

Steps are:

  1. Combine individual (.PEM) certificate files (server, issuing and root CA) into one .PEM file by following instructions on this DigiCert site (you can use Notepad to achieve this). Your final .PEM file should look like this:
  2. —–BEGIN CERTIFICATE—–
    (server_certificate.pem content)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (issuing_ca_certificate.pem content)
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    (root_ca_certificate.pem content)
    —–END CERTIFICATE—–

  3. Upload the combined (.PEM) certificate file to XenMobile Server.
  4. Restart all the XenMobile Server nodes (one by one).
  5. Check if nodes picked up the certificate change (for example, by opening the XenMobile Server management interface with your browser – https://{node’s_IP_address}:4443).
  6. Check if certificate chain is in order as well – https://www.digicert.com/help/.

And… that’s it!

Oh, yeah – in case you’ve been living under a rock… don’t use the SHA-1 certificates anymore… they are obsolete now (info). Smile

Cheers!