NetScaler Certificates

Last Modified: Jul 10, 2016 @ 10:00 am

Navigation

Convert .PFX Certificate to PEM Format

You can export a certificate from Windows and import it to NetScaler. However, Windows certificates can’t be imported on NetScaler in their native PFX format and must first be converted to PEM as detailed below:

  1. On the Windows server that has the certificate, run mmc.exe, and add the certificates snap-in.
  2. Right-click the certificate and click Export.
  3. On the Export Private Key page, select Yes, export the private key and click Next.
  4. On the Export File Format page, ensure Personal Information Exchange is selected and click Next.
  5. Save it as a .pfx file. Don’t put any spaces in the filename.

    1. Back in the NetScaler Configuration GUI, on the left expand Traffic Management and click SSL. If the SSL feature is disabled, right-click it and click Enable Feature.
  6. On the right pane, click Import PKCS#12 in the Tools section.
  7. In the Import PKCS12 File dialog box:
    1. In the Output File Name field, enter a name (e.g. Wildcard.cer) for a new file where the PEM certificate and key will be placed.
    2. In the PKCS12 File field, click Browse and select the previously exported .pfx file.
    3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    4. Change the Encoding Format selection to DES3. This causes the new Output file to be encrypted.
    5. Enter a password for the Output file and click OK.
  8. If you browse to the /nsconfig/ssl directory on the NetScaler and view the new .cer file you just created, you’ll see both the certificate and the private key in the same file. You can use the Manage Certificates / Keys / CSRs link to view the files.

  9. Notice that the file contains both the certificate and the RSA Private key.
  10. On the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
  11. On the right, click Install.
  12. In the Install Certificate dialog box:
    1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    2. In the Certificate File Name field, browse the appliance and select the .cer file you just created.
    3. In the Key File Name field, browse the appliance and select the same .cer file you just created. Both the certificate and the private key are in the same file.
    4. If the private key is encrypted, enter the password.
    5. Click Install. You can now link an intermediate certificate to this SSL certificate and then bind this SSL certificate to SSL Offload and/or NetScaler Gateway Virtual Servers.
  13. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center or NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Create Key and Certificate Request

You can create a key pair and Certificate Signing Request directly on the NetScaler appliance. The Certificate Signing Request can then be signed by an internal or public Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when submitting the Certificate Signing Request to the Certificate Authority and thus there’s no reason to include Subject Alternative Names in the Certificate Signing Request. You typically create a Certificate Signing Request with a single DNS name. Then when submitting the Certificate Signing Request to the Certificate Authority you type in additional DNS names. For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard. For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option that lets you type in additional names.

If you instead want to create a Certificate Signing Request on NetScaler that has Subject Alternative Names embedded in it as request attributes, see Citrix Blog Post How to Create a CSR for a SAN Certificate Using OpenSSL on a NetScaler Appliance. These instructions are performed on the NetScaler command line using OpenSSL. Or you can instead create a Subject Alternative Name certificate on Windows.

  1. On the left, expand Traffic Management, and click SSL.
  2. On the right, in the left column, click Create RSA Key.
  3. Give the new .key file a descriptive name.
  4. Set the Key Size to 2048 bits
  5. Set the PEM Encoding Algorithm to DES3 and enter a password. This encrypts the key file.
  6. Click OK. You will soon create a certificate using the keys in this file.
  7. On the right, in the right column, click Create CSR (Certificate Signing Request).
  8. In the Request File Name field, enter the name of a new .csr file.
  9. In the Key Filename field, browse to the previously created .key file.
  10. If the key file is encrypted, enter the password.
  11. In the State field, enter your state name without abbreviating.
  12. In the Organization Name field, enter your official Organization Name.
  13. Enter the City name.
  14. Enter IT or similar as the Organization Unit.
  15. In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN.
  16. Scroll down, and click OK.
  17. On the right side of the right pane, click Manage Certificates / Keys / CSRs.
  18. Find the .csr file you just created, and View it.
  19. Copy the contents of the file, and send it to the certificate administrator. Request the signed certificate to be returned in Apache or Base64 format.
  20. After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL, and click Certificates.
  21. On the right, click Install.
  22. In the Install Certificate dialog box:
    1. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    2. In the Certificate File Name field, browse Local and select the Base64 (Apache) .cer (or .crt, or .cert) file you received from the Certificate Authority.
    3. In the Private Key File Name field, browse the appliance and select the key file you created earlier.
    4. If the key file is encrypted, enter the password.
    5. If desired, check the box next to Notify when expires.
    6. Click Install.
  23. The certificate is now added to the list. Notice the Days to Expire. You can now bind this certificate to any SSL Load Balancing, NetScaler Gateway, or SSL Content Switching Virtual Server.
  24. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Command Center or Citrix NetScaler Management and Analytics. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the NetScaler. This Intermediate Certificate then must be linked to the Server Certificate.

  1. Sometimes the public Certificate Authority will give you the Intermediate certificate as one of the files in a bundle. If not, log into Windows and double-click the signed certificate.
  2. On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
  3. On the Details tab, click Copy to File.
  4. In the Welcome to the Certificate Export Wizard page, click Next.
  5. In the Export File Format page, select Base-64 encoded and click Next.
  6. Give it a file name and click Next.
  7. In the Completing the Certificate Export Wizard page, click Finish.
  8. In the NetScaler configuration GUI, expand Traffic Management, expand SSL, and click Certificates.
  9. On the right, click Install.
  10. Name it Intermediate or similar.
  11. Browse locally for the Intermediate certificate file.
  12. Click Install. You don’t need a key file.
  13. Highlight the server certificate, open the Action menu, and click Link.
  14. The previously imported Intermediate certificate should already be selected. Click OK.

Create Certificate with NetScaler as Certificate Authority

If you don’t have an internal Certificate Authority, you can use NetScaler as a Certificate Authority. The NetScaler Certificate Authority can then be used to sign Server Certificates. This is a simple method for creating a new management certificate. The main problem with this method is that the NetScaler root certificate must be manually installed on any machine that connects to the NetScaler.

  1. On the left, expand Traffic Management, and click SSL.
  2. On the right, in the left column, click Root-CA Certificate Wizard.
  3. In the Key Filename field, enter root.key or similar. This is a new file.
  4. In the Key Size field, enter at least 2048.
  5. Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
  6. Click Create.
  7. In the Request File Name field, enter root.csr or similar. This is a new file.
  8. If the key file is encrypted, enter the password.
  9. Scroll down.
  10. In the State field, enter the non-abbreviated state name.
  11. In the Organization Name field, enter the name of your organization.
  12. Fill in other fields as desired.
  13. In the Common Name field, enter a descriptive name for this Certificate Authority.
  14. Click Create .
  15. In the Certificate File Name field, enter root.cer or similar. This is a new file.
  16. Change the Validity Period to 3650 (10 years) or similar.
  17. If the key file is encrypted, enter the password in the PEM Passphrase field.
  18. Click Create.
  19. In the Certificate-Key Pair Name field, enter a friendly name for this Certificate Authority certificate.
  20. If the key file is encrypted, enter the password in the Password field.
  21. Click Create.
  22. Click Done.
  23. In the right pane, in the left column, click Server Certificate Wizard.
  24. In the Key Filename field, enter mgmt.key or similar. This is a new file.
  25. In the Key Size field, enter at least 2048.
  26. Optionally, to encrypt the key file, change the PEM Encoding Algorithm to DES3, and enter a new password.
  27. Click Create.
  28. In the Request File Name field, enter mgmt.csr or similar. This is a new file.
  29. If the key file is encrypted, enter the password.
  30. Scroll down.
  31. In the State field, enter the non-abbreviated state name.
  32. In the Organization Name field, enter the name of your organization.
  33. Fill in other fields as desired.
  34. In the Common Name field, enter the hostname (FQDN) of the appliance.
  35. Click Create.
  36. In the Certificate File Name field, enter mgmt.cer or similar. This is a new file.
  37. Change the Validity Period to 3650 (10 years) or similar.
  38. Scroll down.
  39. In the CA Certificate File Name field, browse to the root.cer file.
  40. In the CA Key File Name field, browse to the root.key file.
  41. If the key file is encrypted, enter the password.
  42. In the CA Serial File Number field, enter the name of a new file that will contain serial numbers.
  43. Click Create.
  44. In the Certificate-Key Pair Name field, enter a friendly name for this management certificate.
  45. If the key file is encrypted, enter the password in the Password field.
  46. Click Create.
  47.  Click Done.

Default Management Certificate Key Length

In older NetScaler builds, the default management certificate (ns-server-certificate) key size is only 512 bits. To see the key size, right-click ns-server-certificate, and then click Details.


If you try to use Internet Explorer to connect to the NSIP using SSL, Internet Explorer will consider 512 bits to be unsafe and probably won’t let you connect. Notice there’s no option to proceed.

You can configure Internet Explorer to accept the 512-bit certificate by running Certutil ‑setreg chain\minRSAPubKeyBitLength 512 on the same machine where Internet Explorer is running.

When you upgrade NetScaler, the management certificate remains at whatever was installed previously. If it was never replaced, then the management certificate is still only 512 bits. To replace the certificate with a new 2048-bit self-signed certificate, simply delete the existing ns-server-certificate certificate files and reboot.

  1. Go to Traffic Management > SSL.
  2. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  3. Highlight any file named ns-* and delete them. This takes several seconds.
  4. Then go to System and reboot.
  5. After a reboot, if you view the Details on the ns-server-certificate, it will be recreated as self-signed with 2048-bit key size.

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

Only one certificate will be loaded on both nodes in a High Availability pair so make sure the management certificate matches the names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won’t match all of these names):

  • The FQDN for each node NSIP in a High Availability pair. Example: ns01.corp.local and ns02.corp.local
  • The shortnames (left label) for each node NSIP in a High Availability pair. Example: ns01 and ns02
  • The NSIP IP address for each node in a High Availability pair. Example: 192.168.123.14 and 192.168.123.29
  • If you enabled management access on your SNIPs, add names for the SNIPs:
    • FQDN for the SNIP. Example: ns.corp.local
    • Shortname for the SNIP. Example: ns
    • SNIP IP address. Example: 192.168.123.30

If you are creating a Subject Alternative Name certificate, it’s probably easiest to do the following:

  1. Create the certificate using the Certificates snap-in on a Windows box. You can add the Subject Alternative Names in the certificate request wizard. The Subject Alternative Names for the IP addresses must be added as IP address (v4). The other Subject Alternative Names are added as DNS.
  2. Export the certificate and Private Key to a .pfx file.
  3. On the NetScaler, use the Import PKCS#12 tool to convert the .pfx to PEM format. Then follow one of the procedures below to replace the management certificate.

There are two methods of replacing the management certificate:

  • Use the Update Certificate button for ns-server-certificate in the NetScaler GUI. This automatically updates all of the Internal Services bindings too.
    • You cannot rename the certificate in the NetScaler GUI. It remains as ns-server-certificate.
    • If your new management certificate is a wildcard that you need to use for other SSL entities, then you will bind ns-server-certificate to those entities instead of a more descriptive name. You can’t re-upload the wildcard certificate again with a different GUI name.
  • Or manually Bind the new certificate to the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, and click Certificates.
  3. On the right, highlight ns-server-certificate, and click Update.
  4. Check the box next to Click to update the Certificate/Key.
  5. Browse to the new management certificate. It could be on the appliance or it could be on your local machine.
  6. Click Yes when asked to update the existing certificate.
  7. If the PEM certificate is encrypted, enter the password.
  8. Check the box next to No Domain Check. Click OK.
  9. You can now connect to the NetScaler using https protocol. The certificate should be valid and it should have a 2048 bit key.
  10. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  11. On the right, switch to the Internal Services tab.
  12. You will see multiple services. Edit one of them.
  13. On the right, in the Advanced column, click SSL Ciphers.
  14. On the left, in the SSL Ciphers section, bind a custom cipher group that has RC4 ciphers removed. Click OK.
  15. Scroll down to the SSL Parameters section, and click the pencil icon.
  16. Uncheck the box next to SSLv3. NetScaler VPX 10.5 build 57 and newer lets you enable TLSv11 and TLSv12. Click OK.
  17. Repeat for the rest of the internal services.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, and click Certificates.
  3. On the right, use the Install button to install the certificate if you haven’t already done so.
  4. On the right, highlight the new management certificate, open the Action menu, and click Details.
  5. Verify that the Public Key Size is 2048. Click OK.
  6. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  7. On the right, switch to the Internal Services tab.
  8. You will see multiple services. Edit one of them.
  9. Scroll down and click where it says 1 Client Certificate.
  10. Highlight the existing management certificate, and click Unbind.
  11. Click Yes to remove the selected entity.
  12. Click Add Binding.
  13. Click where it says Click to select.
  14. Select the new management certificate, and click OK.
  15. Click Bind.
  16. Click OK.
  17. On the right, in the Advanced column, click SSL Ciphers.
  18. On the left, in the SSL Ciphers section, bind a custom cipher group that has RC4 ciphers removed. Click OK.
  19. Scroll down to the SSL Parameters section, and click the pencil icon.
  20. Uncheck the box next to SSLv3. NetScaler VPX 10.5 build 57 and newer lets you enable TLSv11 and TLSv12. Click OK.
  21. Repeat for the rest of the internal services.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP. Connecting to the NSIP using SSL also causes Java communication to use SSL (TCP 3008).

  1. Connect to the NSIP using https.
  2. On the left, expand System, expand Network, and click IPs.
  3. On the right, highlight your NetScaler IP, and click Edit.
  4. Near the bottom, check the box next to Secure access only, and then click OK.
  5. Repeat this on the secondary appliance.
  6. Repeat for any SNIPs that have management access enabled.

SSL Certificate – Update

If your certificate is about to expire, do the following:

  1. Create updated certificate files in PEM format. One option is to create a key file and Certificate Signing Request directly on the NetScaler. Another option is to convert a PFX file to a PEM file. Don’t install the certificate yet, but instead, simply have access to the key file and certificate file in PEM format.
  2. In NetScaler, navigate to Traffic Management > SSL > Certificates.
  3. On the right, highlight the certificate you intend to update, and click Update.
  4. Check the box next to Click to update the Certificate/Key.
  5. Browse to the updated certificate file.
  6. Click Yes when asked to update the existing certificate.
  7. Browse to the updated key file.
  8. If the key file is encrypted, enter the password.
  9. Check the box next to No Domain Check.
  10. Click OK. This will automatically update every Virtual Server on which this certificate is bound.
  11. Certificates can also be updated in Citrix Command Center or NetScaler Management and Analytics System.

51 thoughts on “NetScaler Certificates”

  1. Hi Carl

    Great article. thanks
    In a HA environment, is there any sequence for installing new certificates on the nodes? Is it necessary to force failover during the process?

    1. Which cert? Management cert? Or vServer cert?

      When you update a cert or install a new one, HA will sync the file to the secondary node, and then run the add/update CLI command on both nodes. No failover needed.

  2. Hi Carl,

    Just one Simple question, I doing GSLB with SSL, should I need to create different CSRs on local and remote LBs or can I generate it on only one LB and use the same certificate on remote site too?

    Thanks in advance.

    BK

    1. Once you create the cert on one appliance, you can download the files and use the same files on the other appliance.

  3. Following Root-CA Certificate Wizard, I created root certificate using GUI which in turn logged following entries in syslog server.

    #For RSAKey
    Feb 21 08:14:16 192.168.10.120 02/21/2017:13:14:16 GMT ns 0-PPE-0 : GUI CMD_EXECUTED 808 0 : User nsroot – Remote_ip 192.168.10.109 – Command “create ssl rsakey NS_Root_RSA_PEM_DES3 2048 -exponent 3 -keyform PEM -des3 -password “********”” – Status “Success”

    #For CSR
    Feb 21 08:14:58 192.168.10.120 02/21/2017:13:14:58 GMT ns 0-PPE-0 : GUI CMD_EXECUTED 809 0 : User nsroot – Remote_ip 192.168.10.109 – Command “create ssl certReq NS_Root_RSA_PEM_DES3.csr -keyFile NS_Root_RSA_PEM_DES3 -keyform PEM -PEMPassPhrase “********” -countryName US -stateName “New Jersey” -organizationName HomeLab -organizationUnitName HomeLab -localityName “Jersey City” -commonName CAG.HomeLab.local” – Status “Success”

    #For Cert
    Feb 21 08:15:16 192.168.10.120 02/21/2017:13:15:16 GMT ns 0-PPE-0 : GUI CMD_EXECUTED 810 0 : User nsroot – Remote_ip 192.168.10.109 – Command “create ssl cert NS_Root_RSA_PEM_DES3.crt NS_Root_RSA_PEM_DES3.csr -keyFile NS_Root_RSA_PEM_DES3 -keyform PEM -PEMPassPhrase “********” -days 365 -certForm PEM -CAcertForm PEM -CAkeyForm PEM” – Status “Success”

    #To Create CertKeyPair
    Feb 21 08:15:38 192.168.10.120 02/21/2017:13:15:38 GMT ns 0-PPE-0 : GUI CMD_EXECUTED 811 0 : User nsroot – Remote_ip 192.168.10.109 – Command “add ssl certKey NS_Root_RSA_PEM_DES3 -cert NS_Root_RSA_PEM_DES3.crt -key NS_Root_RSA_PEM_DES3 -inform PEM “********” -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO” – Status “Success”

    #To see CertKeyPair created in step above
    Feb 21 08:15:38 192.168.10.120 02/21/2017:13:15:38 GMT ns 0-PPE-0 : GUI CMD_EXECUTED 812 0 : User nsroot – Remote_ip 192.168.10.109 – Command “show ssl certKey NS_Root_RSA_PEM_DES3” – Status “Success”

    Now, that I got commands netscaler logged in syslog, I went ahead and removed CertKeyPair by executing following on CLI.

    rm certkey NS_Root_RSA_PEM_DES3

    and removed file from shell.

    root@ns# cd /nsconfig/ssl/
    root@ns# rm NS_Root_RSA_PEM_DES3.key NS_Root_RSA_PEM_DES3.csr NS_Root_RSA_PEM_DES3.crt

    Then I tried to execute command listed in syslog to see if I can re-create it using CLI and I learn that on 3rd command to create NS_Root_RSA_PEM_DES3.crt it failed.

    I had been careful to type accurate password. I think it’s bug in Syslog module and system not logging correct command executed in GUI into syslog. Otherwise it would have worked.

      1. You see I am trying to create root cert itself using “create ssl cert” command which was logged in syslog when I ran though “Root-CA Certificate Wizard”.

        What I am trying to say is that “Root-CA Certificate Wizard” is executing command which is different then what is logged in syslog.

  4. Can I rebind the Internal Services to use an existing wildcard cert (*.corp.com) I’m using for LB virtual servers if I’m only accessing the NSIP management interface using https://netscaler.corp.com? I don’t plan on using the shortname or the IP address to access the management interface so I’m wondering if I can get by with using the wildcard cert instead of creating a new SAN certificate.

      1. Not yet. I thought it would work but it wasn’t clear in the Replace Management Certificate section if it was possible to use a wildcard cert.

  5. Great article. Going through the update process I renewed an existing cert and uploaed to the netscaler. Following your update method, I receive an error that the resource already exists when renewing cert. Is this due to the keys being the same?

    Regards
    James

    1. Did you maybe already add the new certKey prior to updating the existing certKey? If so, just delete the recently added certKey and try the update again.

      1. Appreciate the quick reply. I went back and traced my steps and it looks like I exported the old cert out of Exchange and not the new one. Once I uploaded the new one I was able to update the existing cert. Thanks again.

    1. Does your CA requires the “CSR” with SHA-256? It doesn’t matter what the CSR is since the final certificate will still be SHA-256.

      But if you really want your CSR to be SHA2, then NetScaler 11.1 lets you do it in the GUI. Or you can do it from openssl in the command line.

  6. Good evening I would like to ask you a questio.
    Because from the command line with across where the certificate. PFX does not address the certificate with .p7b extension. While manually installing the .pfx certifed installation is successful. I enclose the CLI:
    certutil -f -p password -importpfx “\\ Nserver \ scripts $ \ patch \ certificate.pfx”

    thanks for collaboration

  7. NetScaler VPX NS10.5 – Do you need to keep the Imported PKCS#12 file once you install the Certificate or can these be deleted?

  8. Awesome right up on Netscaler config! I was able to set mine up in my lab based off your article. Thank you!

  9. Hi Carl, great article as i was looking into using SAN certs for my HA Netscalers. I followed your steps and use our company’s Enterprise CA to pre-create the cert on a Windows Server. Now we have the cert exported, i keep getting SyntaxError: Invalid character.
    Any idea what this can be? made sure to name the cert as its FQDN address, no spaces etc. Also the password we have kept simple, but so far it keeps failing.
    We have also tried to export the private key seperate from the cert, so two files. private key as .pfx and cert as .cer. Still fails will trying to import the private key file.
    Thanks,
    Alvin

    1. Does it work from the CLI?

      If you’re doing .pfx, it needs to be converted to .cer and .key in PEM (Base64) format first. Traffic Mgmt > SSL > Import PKCS#12 can do the conversion for you.

      1. Ive got a strange one for you. I created a CA signed certificate request. Uploaded to Godaddy. I downloaded the cert and the bundled cert. I then tried to upload and add in Netscaler (VPX trial). I can do the regular cert but the bundled cert doesn’t work. It tells me I’m using the wrong key. Any ideas? I’ve done this for a couple years and this is a first for me. Totally stumped.

    2. Hi Carl, using the NS Gui Import PKCS12 wizard is where it is failing with SyntaxError: Invalid character. This .pfx is created as shown in this article with the certificate wizard on a Windows server. the pfx includes the cert and private key.

      Have to lookup the CLI command to try the import as well…

      1. Got it working now, not sure if it is related to my Windows machine or Enterprise CA, but once i got the .pfx, i had to convert it first to a .cer file using “openssl pkcs12 -in certificate.pfx -out certificate.cer” then copy and split it’s contents to seperate files: certificate.pem, rootca.cer, dot1x.cer and privatekey.key. Then merge all *.cer and *.pem back into one fullcertificate.pem file. So leaving the privatekey.key out.
        On the NS, run “openssl rsa -in current_keyfilename -out NEW_keyfilename” and then perform the cert install process. If key while was not converted i would get the Invalid private key, or PEM pass phrase required for this private key.

  10. Hi Carl-

    Not sure if you still look at this one but great blog. This has puzzled me so I thought I would ask.

    What is the proper use of wildcard certificates from a public CA in NS 10.5?

    We have (2) Storefront servers that are part of XYZ domain so SF1.XYZ.LOCAL and SF2.XYZ.LOCAL but the Store and NS are using *.XYZ.COM. The cert is for *.XYZ.COM but internal DNS name uses XYZ.LOCAL.

    Internal and external beacons are also XYZ.COM and IIS SSL is XYZ.COM

    LB VIP for Storefront uses XYZ.COM as well.

    This all works fine even without the Intermediate CA linked but I’m wondering…

    1) Is linking the intermediate a best practice or a requirement?
    2) What are the typical effects of a wildcard not match DNS Name?

    Kind regards,

    Jim

    1. 1. Windows devices are smart enough to download missing intermediate certificates from the Internet. Other devices (iOS, Android) won’t do that. Thus you need to link any middle certificates in the chain.

      2. By definition, wildcard matches all xyz.com DNS names. That’s the point of a wildcard. It won’t match xyz.local, of course.

  11. Hi Carl,

    We are using wildcard certificates which are going to expire soon. Our security team who is responsible for renewals has said going forward they wont renew wildcard, instead they have asked us to generate a new CSR for each URL.

    On some Netscaler gateways we have multiple Virtual Servers each having a seperate VIP (domain name is same for all URLs). I have the following queries related to our scenario:

    1. Do we need to generate CSR for each URL / vserver
    2. Can I generate a CSR for a vserver configured on another netscaler box. I plan to use cli to generate the CSR to minimize the efforts.
    3. Any easier way to generate multiple CSRs

    Thanks,

    Sid

    1. Certificates match DNS names. If you have multiple Gateways on the same DNS name then you can use the same cert for each Gateway. Unless you want different keys for each Gateway.

      You can create the cert on any machine and later import it to NetScaler. I typically create certs in IIS, export to .pfx, and then import to NetScaler. Once they are on a NetScaler they are just files that can be copied to any other NetScaler and “installed”. You can also use OpenSSL to create keys and CSRs.

  12. Thanks Carl for detail information.

    I need few clarification further as I’m going to renew existing SSL certificate for our NGs. 1. Do I need to recreate RSA Key for generating CSR?
    2. Shall I need to link Intermidiate again once I install renewed certificate to Netscaler, ?
    3. Would live sessions be impacted when SSL certificates would be installed?

    Looking for your suggestion, mate.

    Thanks in advance

    Regards
    Kallal

    1. 1. Not required but it is best practice to change the keys. That’s the reason for cert expiration. Longer keys means more time for hackers to break it.
      2. Yes. They sometimes change the intermediate cert when you renew.
      3. I would assume so. If ICA Proxy with Session Reliablity then most users won’t notice. NetScaler 11.0 build 64 added a feature to make SSL changes more seamless.

      1. thanks for relpying so quick.

        When I try to create another RSA key from Traffic management->SSL->SSL Keys->Create RSA Key, its keep on rolling untill I close this wizard manually. due to which I am unable to create any RSA key further. Whereas DSA key can be created in same way. Is this a known behaviour of Netscaler?

        1. What build? Special characters in the password?

          You can also do it from the CLI. Or if you have a Windows box you can create one using IIS, export to .pfx, and then import to NetScaler.

          1. we are using Netscaler(8005), Version: 10.5, Build: 55.8 and have no special character in Password.

            Excellent option to create it through IIS. Let me try that once.

          2. Hi Carl

            I manage to create the CSR and received the Bundle Certificates(containing root, intermidiate and server certificates). Please can you elaborate how would this bundle certificates be installed on Netscaler? how to link intermidiate and root cert with servers certificate sequentiay after installing these certificates in Netscaler?

            Regards
            Kallal

          3. I usually upload one at a time and then link them. But don’t link the root. Instead only link the server cert to the intermediates.

          4. thanks Carl but our certificate authority is changed. Shall I still use previous root certificate which was provided by different CA?

            Regards
            Kallal

          5. When you try to link the certificates it will only give you valid certificate linking options.

            On Windows, double-click the server cert. Go to the Cert Path page. You’ll see the full list of CAs that signed the cert. Each of the CAs, except the top one, needs to be uploaded to the NetScaler and linked to the server certificate.

          6. Thanks Carl. I have renewed the certificate successfully on all gateways. thanks for your this article.. It helps a lot

  13. Bind 2 server certificates to a Virtual Server?

    We will be rolling out a new URL and will like the new and the existing URLs to be active at the same time for a while.
    We have wildcard certificates for both URLs.
    Do we need to create a new Virtual server on the CAG in order to have both sites up at once?

    I thought about pointing the new URL at the existing one (as an alias) and adding the second certificate to the existing Virtual server. But it seems like only one server certificate can be applied at a time to the Virtual server. If we add a second one it bumps the existing one off.

    1. If a wildcard matches both names then you only need the wildcard. But if you need two different certs then you need to enable SNI (Server Name Indication) in your SSL Profile or SSL Parameters. This lets you bind multiple SNI certs to the vServer. Note: this doesn’t work for Windows XP clients.

  14. Hi Carl,

    Just wonder if you could point or give me a step by step what I need to do in order to Create, Install a SSL Cert for internal testing of our LB StoreFront on the NetScaler.

    Best Regards,

    Vinh

    1. You’re asking how to create an certificate that is signed by an internal Certificate Authority? There are numerous Microsoft CA tutorials on the Internet. If you want to use NetScaler as your CA, this page has those instructions. In production, I use public CA certs for both Gateway and internal StoreFront since they are usually the same DNS name.

  15. Great site Carl, really helpful. A (very) minor point that had me scratching my head for a while. When exporting the PFX from windows, ensure the file name used does not contain any spaces, or Netscaler only imports the PFX as-is, leaving you thinking there is something wrong with your wildcard cert!

    1. I just added some text instructing to not put spaces in the filename. I just tried it on NetScaler 11 and I get an error message, which is better than it not working without an error. Thanks for pointing this out.

  16. Hi Carl,

    When a user gets the following error message, Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. SSL Error 61: You have not chosen to trust “GeoTrust SSL CA – G3”, the issuer of the server’s security certificate.

    Where can I find instructions on how to add the right certificate?

    1. When you purchased the certificate GeoTrust should have given you the intermediate certificate. Just install it on the NetScaler and link it to the server certificate.

  17. Hi Carl,

    I;m getting below error when I try to install the certificate in netscaler, followed the steps properly provided by you.

    “certificate is not valid yet”

    Time is in sync between certificate server and netscaler, please help me in resolving the issue.

    1. This usually means the date on the appliance is wrong. SSH to the appliance and run date. You can use the same command to change the date. If this is a VPX appliance, make sure the host hypervisor also has the correct date/time.

Leave a Reply