Product Documentation

Monitoring and Managing SSL Certificates Configured on NetScaler Devices

May 28, 2015

Command Center provides a centralized view of Secure Socket Layer (SSL) certificates installed across all managed NetScaler devices. To manage SSL certificates, you need to ensure that certificate management is enabled. Then, you can view the current status of the certificates, and configure Command Center to update the status at regular intervals.

To prevent server downtime from expired SSL certificates, you can set severity levels, which will generate events when severity levels are met. You can configure these events to notify you when a certificate is about to expire. You can then generate Certificate Signing Requests (CSR) and update the certificates from Command Center.

Use the Audit Trail option to view the status of certificates that are updated. You can also download the certificates and the corresponding key pair to your local system.

You can link a NetScaler device’s certificate(s) to a CA certificate. However, make sure that all of the certificate(s) that you link to the same CA certificate have the same source and the same issuer. After you have linked the certificate(s) to a CA certificate, you can unlink them.

Note: Command Center supports the certificate management feature for NetScaler releases 7.0.52 and later.

Enabling or Disabling Certificate Management

The certificate management option is enabled by default. If you do not want to manage certificates by using Command Center, you can disable the feature.

To enable or disable certificate management

  1. On the Administration tab, in the right pane, under Global Settings, click Server Settings.
  2. Under Server Settings, in SSL Certificate Management, select Enable or Disable.

Viewing the Current Status of SSL Certificates

You can refresh the certificate status to view the most recent state of all the certificates deployed on all the devices managed by Command Center.

To view the current status of SSL Certificates

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. In the right pane, under Certificate Management, select the certificate name, and click Poll Now. Alternately, right click the certificate name and click Poll Now option.

Setting the Polling Interval for SSL Certificates

Updated: 2014-04-16

You can set the time interval for which you want Command Center to poll the real-time status of the SSL certificates. By default, Command Center polls the values every 24 hours.

To set the polling interval for SSL certificates

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. In the right pane, under Certificate Management, select the certificate name, click Configure Polling Interval. Alternately, right-click the certificate name and click Configure Polling Interval.
  3. In Configure Polling Interval, type the number of hours you want to set as the time interval for which Command Center must poll the SSL certificates status, and then click OK.

Setting the Expiry Criteria of SSL Certificates

Updated: 2014-04-16

You can set severity levels based on expiration values of certificates configured on managed devices. Command Center generates events when an assigned severity level is met. The default severity levels are as follows:

  • Critical: Certificate has expired.
  • Major: Certificate will expire within 7 days.
  • Minor: Certificate will expire within 30 days.
  • Warning: Certificate will expire within 90 days.

To set the expiration criteria for SSL certificates

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. In the right pane, under Certificates, click Severity Levels.
  3. Under Severity Levels, select the severity levels you want to use. For each severity level you want to use, define the number of days in which you want to be notified before a certificate expires.

Generating Certificate Signing Requests

Updated: 2014-04-18

You can generate Certificate Signing Requests (CSR) for the certificates you want to renew. Command Center generates the CSR with the user details and information about the public/private key pair of the existing certificates. After the CSR is generated, you can download it and email it to a Certificate Authority (CA). After the CA signs the CSR, it becomes a valid certificate.

To generate a CSR

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. In the right pane, under Certificates, select the certificate for which you want to generate the CSR.
  3. In the right pane, click or right-click Download CSR, and save the file on your local system. The CSR file is saved on your local system as an MHT file.
  4. To renew the certificate, email the generated CSR to your CA.

Updating SSL Certificates

Updated: 2014-04-16

After you receive the renewed certificate from the Certificate Authority (CA), you can update the certificates from Command Center without needing to log on to the NetScaler.

To update SSL certificates

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. In the right pane, under Certificates, in the right pane, click Update for the certificate you want to update.
  3. Under Update Certificate, in Certificate File, either type the path of the certificate file or click Choose File to select the path.
  4. In Key File, either type the path of the key file or click Choose File to select the path.
  5. In Password, type the password for the certificate.
  6. Select the Domain Check check box if you want to match the domain while updating the certificate.
  7. In Annotation, type a message describing the reason why you are updating the certificate, and then click OK.

    Note: Under Certificate Details, you can view the certificate name and file path and the IP address of the device on which the certificate is configured. You can also view the key file path.

Viewing the Audit Trail for SSL Certificates

You can view the update status of the certificate by using the Audit Trail option. The Audit Trail displays the details of the devices including the certificate update status (failed or success) for each device. You can also view the time a certificate was successfully updated.

To view the audit trail

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. In the right pane, under Certificates, click Audit Trails.
  3. Under Audit Trail, you can do the following:
    • To set the refresh interval for the audit trail information displayed in this pane, click Settings, and then type how often you want this information refreshed (in seconds).
    • To immediately refresh the audit trail information displayed in this pane, click Refresh.

    You can also view the following:

    • Device Name: Specifies the IP address of the device on which the certificate update task is performed. Clicking the IP address displays the commands associated with the Citrix device.
    • Start Time: Specifies the time when the task started.
    • End Time: Specifies the time when the task finished.
    • Executed By: Specifies the NetScaler user who executed the task.
    • Status: Specifies the status of the certificate update task, which can be Success or Failed.
    • Annotation: Displays a message describing a reason for the tasks.

Downloading SSL Certificates

Updated: 2014-04-16

You can download the SSL certificates and corresponding key files to your local system. Before you download the certificates, you need to enable archiving of SSL certificates on the Administration tab.

To download SSL certificates

  1. On the Configuration tab, in the left pane, under Certificate Management, click Certificates.
  2. Under Certificates, select the certificate you want to download, and then click Download.
  3. Under Download, select Download key file also if you want to download the corresponding key file, and then click OK.