bg-tutorials

How to Generate a CSR in NetScaler

This guide shows you how to generate a CSR (Certificate Signing Request) on NetScaler, the load balancer and application delivery controller formerly sold as Citrix ADC. You will create an RSA private key, build the CSR with the matching Distinguished Name and Subject Alternative Name entries, copy the encoded request, and send it to your Certificate Authority. The same flow works in the NetScaler GUI on the current 14.1 LTS and 13.1 builds; the optional CLI section at the end runs on any modern release.

Note on the name: the product was originally called NetScaler, rebranded to Citrix ADC in 2018, then renamed back to NetScaler in October 2022 when Cloud Software Group spun NetScaler out as a separate brand. You may still see “Citrix ADC” in older firmware, menus, and documentation; the CSR steps below are identical for both names.

Sign in to the NetScaler appliance (MPX, SDX, VPX, or CPX) as a user with rights to write to /nsconfig/ssl/, then follow the steps in order.

Step 1: Create the RSA private key

NetScaler keeps the private key as a file in /nsconfig/ssl/ and references it by name when you build the CSR and, later, when you install the issued certificate. Create the key first:

  • In the GUI, go to Configuration > Traffic Management > SSL > SSL Files.
  • Open the SSL Keys tab and click Create RSA Key.

Fill in the Create RSA Key window:

  • Key Filename: a name for the key file, for example yourdomain-2026.key. NetScaler writes it to /nsconfig/ssl/ by default.
  • Key Size (bits): 2048 is the current minimum every public CA accepts. Pick 3072 or 4096 only if your security policy requires a larger key; the trade-off is slightly heavier TLS handshakes.
  • Public Exponent Value: F4 (0x10001), the standard value used by virtually every RSA certificate on the web.
  • Key Format: PEM.
  • PEM Encoding Algorithm: leave blank for an unencrypted key. If you select DES or DES3, NetScaler will require you to enter (and re-enter) a passphrase on every reboot and every time you reference the key, which is rarely worth it on an appliance you administer yourself. Leave it blank unless your policy says otherwise.
  • PEM Passphrase and Confirm PEM Passphrase: only required if you chose DES or DES3 above.

Click OK, then Close. The key now exists in /nsconfig/ssl/ on the appliance and is ready to bind to a CSR.

If you would prefer an ECDSA key (smaller, faster, and supported in every current browser), use the CLI: create ssl ecdsakey yourdomain-2026.key -curve P_256. ECDSA P-256 is the common choice; P-384 if you want a larger curve.

Step 2: Open the Create CSR dialog

Still under Configuration > Traffic Management > SSL > SSL Files, open the CSRs tab and click Create Certificate Signing Request (CSR). The Create Certificate Signing Request (CSR) window opens.

Step 3: Fill in the file and key fields

  • Request File Name: a name for the CSR file, for example yourdomain-2026.csr. NetScaler writes it to /nsconfig/ssl/ by default.
  • Key Filename: click Browse, switch the source dropdown to Appliance, and select the key you created in Step 1 (for example yourdomain-2026.key). Click Select, then Open.
  • Key Format: PEM.
  • PEM Passphrase (For Encrypted Key): only if the RSA key has a passphrase set. Leave blank otherwise.
  • Digest Method: select SHA256. SHA-1 is deprecated and rejected by every public CA; do not pick it.

Step 4: Fill in the Distinguished Name fields

Use only standard ASCII characters in every field; non-Latin letters or accented characters break the request:

  • Country: pick the two-letter ISO country code where your organization is registered (for example US, GB, DE).
  • State or Province: the full state or province name (for example Washington, not WA).
  • Organization Name: the full legal name of your company, exactly as registered. Required for OV and EV certificates. For Domain Validation (DV) certificates this field is ignored, so a short placeholder works.
  • Organization Unit: a department label such as IT. The CA/Browser Forum has phased this attribute out for public certificates, so leave it blank where the form allows.
  • City or Locality: the full city name where your organization is registered (for example Seattle, not SEA).
  • Common Name: the fully qualified domain name (FQDN) you want to secure, for example www.example.com. For a wildcard certificate, put an asterisk in front of the apex domain, for example *.example.com.
  • Email Address: optional. Public CAs no longer use this for SSL/TLS issuance; you can leave it blank.
  • Challenge Password and Company Name: optional legacy attributes. Public CAs ignore both; leave blank.

Step 5: Add the Subject Alternative Name (SAN)

Modern browsers and clients (Chromium, Firefox, Safari, .NET, Java, Go) only validate the hostname against the Subject Alternative Name extension; the Common Name has not been used for trust decisions since 2017. Public CAs copy the CN into a SAN entry automatically for single-name orders, so a CN-only request still issues, but if you need multiple hostnames on one certificate (for example example.com and www.example.com, or a multi-domain certificate) you have to add them explicitly.

  • Open the Subject Alternative Name (SAN) section of the dialog.
  • Add one entry per hostname, prefixed with DNS:, for example DNS:www.example.com and DNS:example.com.
  • For IP-based access (rare for public certificates), use the IP: prefix instead, for example IP:192.0.2.10. Public CAs only issue against IPs they can validate.

If the Subject Alternative Name (SAN) field is missing in your build, the CLI version of the command exposes it on every release (see the CLI alternative at the end of this guide).

Step 6: Generate the CSR

Double-check every field, then click Create (older builds: OK). Click Close. NetScaler writes the CSR to /nsconfig/ssl/ on the appliance and keeps the matching private key alongside it.

Step 7: Copy the CSR and submit it to your CA

  • Go to Configuration > Traffic Management > SSL.
  • On the main page, under Tools, click Manage Certificates / Keys / CSRs.
  • Locate your yourdomain-2026.csr file in the list and click View.

The CSR is a block of base64 text that looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIDXjCCAkYCAQAwgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9u
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----

Select the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, copy it, and paste it into the CSR field on your order form. Wait for the CA to validate the request and issue the certificate. When the SSL files arrive in your inbox, follow how to install an SSL certificate on NetScaler to complete the deployment.

Check the CSR before you submit it (optional)

It is worth confirming the Common Name, SAN entries, and key size before sending the request to your CA. Paste the contents of the request into SSL Dragon’s CSR decoder to read back every field. Confirm that the Common Name matches the hostname clients will use and that every required name appears under the Subject Alternative Name list. Errors at this stage are cheap to fix; errors after issuance mean a reissue.

Generate the CSR from the CLI (optional)

If you prefer the command line (or your build hides the SAN field in the GUI), connect to the appliance over SSH and run the equivalent commands. Replace the names and field values with your own:

create ssl rsakey /nsconfig/ssl/yourdomain-2026.key 2048 -exponent F4

create ssl certReq /nsconfig/ssl/yourdomain-2026.csr \
  -keyFile /nsconfig/ssl/yourdomain-2026.key \
  -countryName US \
  -stateName Washington \
  -organizationName "Example Inc" \
  -localityName Seattle \
  -commonName www.example.com \
  -subjectAltName "DNS:www.example.com DNS:example.com" \
  -digestMethod SHA256

Notes on the values:

  • The line continuations (\) are for readability; you can run the create ssl certReq command as a single line if you prefer.
  • -subjectAltName takes a single quoted string with space-separated entries; the format is DNS:hostname (or IP:address).
  • For an ECDSA key, replace the create ssl rsakey line with create ssl ecdsakey /nsconfig/ssl/yourdomain-2026.key -curve P_256 and keep the rest of the command the same.
  • To read the CSR back at the prompt, run cat /nsconfig/ssl/yourdomain-2026.csr from the appliance shell.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.