Complete the following steps to generate SHA2 CSR on NetScaler using OpenSSL:

1. Create a custom configuration file named openssl.cnf. The file can have the following entries. Modify the entries according to the requirement. You can create this file on NetScaler using the VI editor or any other editor.

   [req]
   default_bits       = 2048
   prompt             = no
   encrypt_key        = no
   default_md         = sha256
   distinguished_name = dn 
   [dn]
   CN           = test.example.com
   OU           = Test Certificate
   O            = Test Company
   L            = Test City
   ST           = California
   C            = US
   emailAddress = test@example.com

2. Upload the openssl.cnf file to the /nsconfig/ssl directory.
3. Log on to NetScaler using PuTTY.
4. Browse to the /nsconfig/ssl directory and execute the following command to create a Key and CSR:
   root@ns# openssl req -out test.csr -config openssl.cnf -new -newkey rsa:2048 -nodes -keyout test.key

   Generating a 2048 bit RSA private key
   ......................................+++
   ...............................................+++
   writing new private key to 'test.key'
   -----

5. Use the following command to verify if the CSR created is SHA2:
   root@ns# openssl req -text -noout -in test.csr | grep ‘Signature Algorithm’

   Certificate Request:
       Data:
           Version: 0 (0x0)
           Subject: CN=link.rc.test.com, OU=TEST, O=DSI, L=Clichy, ST=Haut de Seine, C=Fr/emailAddress=bruce.wayne@test.fr
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
               RSA Public Key: (2048 bit)
                   Modulus (2048 bit):
                       00:b9:2b:66:9a:fe:55:8e:da:ac:85:c6:67:94:6d:
                       88:34:6b:92:00:6b:0f:02:bc:40:20:9d:be:db:b1:
                       04:3b:b1:2e:79:6e:60:f6:9e:2d:c1:49:09:3b:6e:
                       9c:4e:f9:7f:17:ea:ed:99:b6:1b:15:44:ea:8b:e4:
                       f1:87:32:8a:73:10:c1:6b:d7:c8:7f:1a:a6:83:ef:
                       1f:a8:38:82:0e:b2:f1:09:69:af:ee:e4:eb:ac:7f:
                       cc:75:09:95:21:79:fe:0c:e3:e0:3e:c0:86:ee:fc:
                       f3:c4:e2:1f:e2:ed:12:ee:94:b1:aa:d3:22:fb:70:
                       bb:aa:55:84:50:28:82:2a:7f:e2:34:a7:9b:65:0c:
                       72:5e:41:42:b5:60:2b:63:67:82:aa:ae:79:c5:a0:
                       bc:72:3e:14:18:37:ef:5e:69:fd:b8:53:d2:19:fa:
                       f0:c6:bf:3a:b1:24:45:c9:e4:9c:58:f9:5c:3c:44:
                       c0:c2:3e:b7:a3:ec:d2:a2:bc:a6:ae:b6:18:e7:fe:
                       33:67:06:c6:c9:5b:98:2c:87:45:ee:a6:ee:f5:6e:
                       25:6f:75:ba:bd:58:60:4c:b7:ae:c6:ed:03:3c:f6:
                       37:bc:2b:02:b4:9a:9e:02:d2:62:db:b2:b0:b1:df:
                       a7:16:ae:df:19:fa:27:b9:47:ec:56:fa:81:84:ae:
                       fa:81
                   Exponent: 65537 (0x10001)
           Attributes:
               a0:00
       Signature Algorithm: sha256WithRSAEncryption
           21:fd:2c:88:37:4d:5b:a2:bc:e0:90:dd:01:06:bc:30:54:91:
           6e:cd:49:04:e3:d6:49:3c:85:d6:7d:15:bd:e7:a4:81:28:8d:
           47:5f:df:12:7c:50:3e:b8:7d:6f:7e:3b:7f:bc:4a:a9:64:26:
           af:68:23:fa:84:81:cb:df:ec:fe:cb:32:d4:db:52:38:77:bd:
           ec:9d:59:d9:d0:f2:c4:4e:f5:9f:0b:b7:78:79:d9:00:11:1c:
           49:36:c3:7e:92:c4:5c:e1:c1:d6:85:0c:44:55:68:0b:54:ea:
           de:bb:a1:b9:25:b8:de:5a:06:55:6e:86:eb:86:c2:67:c2:47:
           a2:5e:7d:6c:20:30:5a:8a:08:12:88:41:f6:54:48:ec:fa:6f:
           55:c6:2f:cf:31:68:b5:5f:6a:a0:30:f3:c3:62:db:78:4a:53:
           a4:2a:67:9e:5a:6b:2c:a7:8a:05:36:6e:da:61:f8:93:c3:a0:
           98:9c:4c:33:b6:a1:8d:85:6e:bb:08:ad:7f:56:69:ba:86:87:
           c2:8d:3c:85:aa:4f:d0:74:8f:6d:9f:e4:06:d0:7b:16:df:2c:
           2e:18:9b:7f:f5:6c:4f:1e:e3:00:f8:49:8d:b4:5e:4b:cd:8b:
           3b:6a:e6:a6:fa:e6:71:00:b9:ed:ed:9b:ef:91:e3:ab:a1:24:
           2d:2a:41:bc

The preceding article helps you in generating the CSR by creating a new key. However, if you want to use an existing key, then use the following command:
openssl req -out csr.csr -key /nsconfig/ssl/existing_key.key -new -sha256 -config /etc/nsssl.conf