ADC

SSL FAQs

Basic questions

HTTPS access to the GUI fails on a VPX instance. How do I gain access?

A certificate-key pair is required for HTTPS access to the GUI. On a Citrix ADC, a certificate-key pair is automatically bound to the internal services. On an MPX or SDX appliance, the default key size is 1024 bytes, and on a VPX instance, the default key size is 512 bytes. However, most browsers today do not accept a key that is less than 1024 bytes. As a result, HTTPS access to the VPX configuration utility is blocked.

Citrix recommends that you install a certificate-key pair of at least 1024 bytes and bind it to the internal service for HTTPS access to the configuration utility or update the ns-server-certificate to 1024 bytes. You can use HTTP access to the configuration utility or the CLI to install the certificate.

If I add a license to an MPX appliance, the certificate-key pair binding is lost. How do I resolve this problem?

If a license is not present on an MPX appliance when it starts, and you add a license later and restart the appliance, you might lose the certificate binding. You must reinstall the certificate and bind it to the internal service

Citrix recommends that you install an appropriate license before starting the appliance.

What are the various steps involved in setting up a secure channel for an SSL transaction?

Setting up a secure channel for an SSL transaction involves the following steps:

  1. The client sends an HTTPS request for a secure channel to the server.

  2. After selecting the protocol and cipher, the server sends its certificate to the client.

  3. The client checks the authenticity of the server certificate.

  4. If any of the checks fail, the client displays the corresponding feedback.

  5. If the checks pass or the client decides to continue even if a check fails, the client creates a temporary, disposable key called the pre-master secret and encrypts it by using the public key of the server certificate.

  6. The server, upon receiving the pre-master secret, decrypts it by using the server’s private key and generates the session keys. The client also generates the session keys from the pre-master secret. Thus both client and server now have a common session key, which is used for encryption and decryption of application data.

I understand that SSL is a CPU-intensive process. What is the CPU cost associated with the SSL process?

The following two stages are associated with the SSL process:

  • The initial handshake and secure channel setup by using the public and private key technology.

  • Bulk data encryption by using the asymmetric key technology.

Both of the preceding stages can affect server performance, and they require intensive CPU processing for of the following reasons:

  1. The initial handshake involves public-private key cryptography, which is very CPU intensive because of large key sizes (1024bit, 2048bit, 4096bit).

  2. Encryption/decryption of data is also computationally expensive, depending on the amount of data that needs to be encrypted or decrypted.

What are the various entities of an SSL configuration?

An SSL configuration has the following entities:

  • Server certificate
  • Certificate Authority (CA) certificate
  • Cipher suite that specifies the protocols for the following tasks:
    • Initial key exchange
    • Server and client authentication
    • Bulk encryption algorithm
    • Message authentication
  • Client authentication
  • CRL
  • SSL Certificate Key Generation Tool that enables you to create the following files:
    • Certificate request
    • Self signed certificate
    • RSA and DSA keys
    • DH parameters

I want to use the SSL offloading feature of the Citrix ADC appliance. What are the various options for receiving an SSL certificate?

You must receive an SSL certificate before you can configure the SSL setup on the Citrix ADC appliance. You can use any of the following methods to receive an SSL certificate:

  • Request a certificate from an authorized CA.

  • Use the existing server certificate.

  • Create a certificate-key pair on the Citrix ADC appliance.

Note: This is a test certificate signed by the test Root-CA generated by the Citrix ADC appliance. Test certificates signed by this Root-CA are not accepted by browsers. The browser throws a warning message stating that the server’s certificate cannot be authenticated.

  • For anything other than test purposes, you must provide a valid CA certificate and CA key to sign the server certificate.

What are the minimum requirements for an SSL setup?

The minimum requirements for configuring an SSL setup are as follows:

  • Obtain the certificates and keys.
  • Create a load balancing SSL virtual server.
  • Bind HTTP or SSL services to the SSL virtual server.
  • Bind certificate-key pair to the SSL virtual server.

What are the limits for the various components of SSL?

SSL components have the following limits:

  • Bit size of SSL certificates: 4096.
  • Number of SSL certificates: Depends on the available memory on the appliance.
  • Maximum linked intermediate CA SSL certificates: 9 per chain.
  • CRL revocations: Depends on the available memory on the appliance.

What are the various steps involved in the end-to-end data encryption on a Citrix ADC appliance?

The steps involved in the server-side encryption process on a Citrix ADC appliance are as follows:

  1. The client connects to the SSL VIP configured on the Citrix ADC appliance at the secure site.

  2. After receiving the secure request, the appliance decrypts the request, applies layer 4-7 content switching techniques and load balancing policies, and selects the best available backend Web server for the request.

  3. The Citrix ADC appliance creates an SSL session with the selected server.

  4. After establishing the SSL session, the appliance encrypts the client request and sends it to the Web server by using the secure SSL session.

  5. When the appliance receives the encrypted response from the server, it decrypts and re-encrypts the data, and sends the data to the client by using the client side SSL session.

The multiplexing technique of the Citrix ADC appliance enables the appliance to reuse SSL sessions that have been established with the Web servers. Therefore, the appliance avoids the CPU intensive key exchange, known as full handshake. This process reduces the overall number of SSL sessions on the server and maintains end-to-end security.

Certificates and Keys

You can store the certificate and key files on the Citrix ADC appliance or a local computer. However, Citrix recommends that you store the certificate and key files in the /nsconfig/ssl directory of the Citrix ADC appliance. The /etc directory exists in the flash memory of the Citrix ADC appliance. This provides portability and facilitates backup and restoration of the certificate files on the appliance.

Note: Make sure that the certificate and the key files are stored in the same directory.

What is the maximum size of the certificate key supported on the Citrix ADC appliance?

A Citrix ADC appliance running a software release earlier than release 9.0 supports a maximum certificate key size of 2048 bits. Release 9.0 and later support a maximum certificate key size of 4096 bits. This limit is applicable to both RSA and DSA certificates.

An MPX appliance supports certificates from 512-bits up to the following sizes:

  • 4096-bit server certificate on the virtual server

  • 4096-bit client certificate on the service

  • 4096-bit CA certificate (includes intermediate and root certificates)

  • 4096-bit certificate on the back end server

  • 4096-bit client certificate (if client authentication is enabled on the virtual server)

A virtual appliance supports certificates from 512-bits up to the following sizes:

  • 4096-bit server certificate on the virtual server

  • 4096-bit client certificate on the service

  • 4096-bit CA certificate (includes intermediate and root certificates)

  • 4096-bit certificate on the back end server from release 12.0-56.x. Older releases support 2048-bit certificates.

  • 2048-bit client certificate (if client authentication is enabled on the virtual server) from release 12.0-56.x.

What is the maximum size of the DH parameter supported on the Citrix ADC appliance?

The Citrix ADC appliance supports a DH parameter of maximum 2048 bits.

What is the maximum certificate-chain length, that is, the maximum number of certificates in a chain, supported on a Citrix ADC appliance?

A Citrix ADC appliance can send a maximum of 10 certificates in a chain when sending a server certificate message. A chain of the maximum length includes the server certificate and nine intermediate CA certificates.

What are the various certificate and key formats supported on the Citrix ADC appliance?

The Citrix ADC appliance supports the following certificate and key formats:

  • Privacy Enhanced Mail (PEM)
  • Distinguished Encoding Rule (DER)

Is there a limit for the number of certificates and keys that I can install on the Citrix ADC appliance?

No. The number of certificates and keys that can be installed is limited only by the available memory on the Citrix ADC appliance.

I have saved the certificate and key files on the local computer. I want to transfer these files to the Citrix ADC appliance by using the FTP protocol. Is there any preferred mode for transfering these files to the Citrix ADC appliance?

Yes. If using the FTP protocol, you should use binary mode to transfer the certificate and key files to the Citrix ADC appliance.

Note: By default, FTP is disabled. Citrix recommends using the SCP protocol for transferring certificate and key files. The configuration utility implicitly uses SCP to connect to the appliance.

What is the default directory path for the certificate and key?

The default directory path for the certificate and key is ‘/nsconfig/ssl’.

When adding a certificate and key pair, what happens if I do not specify an absolute path to the certificate and key files?

When adding a certificate and key pair, if you do not specify an absolute path to the certificate and key files, the Citrix ADC appliance searches the default directory, /nsconfig/ssl, for the specified files and attempts to load them to the kernel. For example, if the cert1024.pem and rsa1024.pem files are available in the /nsconfig/ssl directory of the appliance, both of the following commands are successful:

add ssl certKey cert1 -cert cert1204.pem -key rsa1024.pem
<!--NeedCopy-->
add ssl certKey cert1 -cert /nsconfig/ssl/cert1204.pem -key /nsconfig/ssl/rsa1024.pem
<!--NeedCopy-->

I have configured a high availability setup. I want to implement the SSL feature on the setup. How should I handle the certificate and key files in a high availability setup?

In a high availability setup, you must store the certificate and key files on both the primary and the secondary Citrix ADC appliance. The directory path for the certificate and key files must be the same on both appliances before you add an SSL certificate-key pair on the primary appliance.

Thales nShield® HSM

When integrating with Thales nShield® HSM, do we have to keep in mind any specific configuration when adding the Citrix ADC appliance to HA?

You must configure the same Thales device(s) on both the nodes in HA. Thales configuration commands don’t synchronize in HA. For information about the prerequisites for Thales nShield® HSM, see Prerequisites.

Do we have to individually integrate both the appliances with Thales nShield® HSM and RFS? Do we need to do this before or after the HA setup?

You can complete the integration before or after the HA setup. However, if the integration is done after the HA setup, the keys imported on the primary node prior to configuring the secondary node are not synced to the secondary node. Therefore, Citrix recommends Thales integration before the HA setup.

Do we have to import the key into both the primary and secondary Citrix ADC appliances, or are the keys synchronized from the primary node to the secondary node?

If Thales is integrated on both devices before forming the HA, the keys are automatically synchronized from RFS in the process of integration.

Given that the HSM is not on the Citrix ADC appliance, but on Thales, what happens to the keys and certificates when a node fails and is replaced?

If a node fails, it is possible to synchronize the keys and certificates to the new node, by first integrating Thales on the new node and then running the following commands:

sync ha files ssl
force ha sync
<!--NeedCopy-->

The certificates are synchronized and added if the keys are synchronized in the process of integrating Thales.

Ciphers

What is a NULL-Cipher?

Ciphers with no encryption are known as NULL-Ciphers. For example, NULL-MD5 is a NULL-Cipher.

Are the NULL-Ciphers enabled by default for an SSL VIP or an SSL service?

No. NULL-Ciphers are not enabled by default for an SSL VIP or an SSL service.

What is the procedure to remove NULL-Ciphers?

To remove the NULL-Ciphers from an SSL VIP, run the following command:

bind ssl cipher <SSL_VIP> REM NULL
<!--NeedCopy-->

To remove the NULL-Ciphers from an SSL Service, run the following command:

bind ssl cipher <SSL_Service> REM NULL -service
<!--NeedCopy-->

What are the various cipher aliases supported on the Citrix ADC appliance?

To list the cipher aliases supported on the appliance, at the command prompt, type:

sh cipher
<!--NeedCopy-->

What is the command to display all the predefined ciphers of the Citrix ADC appliance?

To display all the predefined ciphers of the Citrix ADC appliance, at the CLI, type:

show ssl cipher
<!--NeedCopy-->

What is the command to display the details of an individual cipher of the Citrix ADC appliance?

To display the details of an individual cipher of the Citrix ADC appliance, at the CLI, type:

show ssl cipher <Cipher_Name/Cipher_Alias_Name/Cipher_Group_Name>
<!--NeedCopy-->

Example:

show cipher SSL3-RC4-SHA
     1) Cipher Name: SSL3-RC4-SHA
     Description: SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
    Mac=SHA1
     Done
<!--NeedCopy-->

What is the significance of adding the predefined ciphers of the Citrix ADC appliance?

Adding the predefined ciphers of the Citrix ADC appliance causes the NULL-Ciphers to get added to an SSL VIP or an SSL service.

Certificates

Is the distinguished name in a client certificate available for the length of the user session?

Yes. You can access the distinguished name of the client certificate in subsequent requests during the length of the user session, that is even after the SSL handshake is complete and the certificate is not sent again by the browser. To do this, use a variable and an assignment as detailed in the following sample configuration:

Example:

add ns variable v2 -type "text(100)"

add ns assignment a1 -variable "$v2" -set       "CLIENT.SSL.CLIENT_CERT.SUBJECT.TYPECAST_NVLIST_T('=','/').VALUE("CN")"

add rewrite action act1 insert_http_header subject "$v2"  // example: to insert the distinguished name in the header

add rewrite policy pol1 true a1

add rewrite policy pol2 true act1

bind rewrite global pol1 1 next -type RES_DEFAULT

bind rewrite global pol2 2 next -type RES_DEFAULT

set rewrite param -undefAction RESET
<!--NeedCopy-->

Why do I need to bind the server certificate?

Binding the server certificates is the basic requirement for enabling the SSL configuration to process SSL transactions.

To bind the server certificate to an SSL VIP, at the CLI, type:

bind ssl vserver <vServerName> -certkeyName <cert_name>
<!--NeedCopy-->

To bind the server certificate to an SSL service, at the CLI, type:

bind ssl service <serviceName> -certkeyName <cert_name>
<!--NeedCopy-->

How many certificates can I bind to an SSL VIP or an SSL service?

On a Citrix ADC virtual appliance, you can bind a maximum of three certificates to an SSL VIP or an SSL service, one each of type RSA,ECDSA, and DSA. On a Citrix ADC MPX (N2) or MPX-FIPS appliance, if SNI is enabled, you can bind multiple server certificates of type RSA. If SNI is disabled, you can bind a maximum of one certificate of type RSA. On a Citrix ADC MPX (N3) and Citrix ADC MPX/SDX FIPS appliance, you can bind a maximum of two certificates to an SSL VIP or an SSL service, one each of type RSA and type ECDSA.

Note: DSA certificates are not supported on MPX or MPX-FIPS platforms.

Does SNI support Subject Alternative Name (SAN) certificates?

No. On a Citrix ADC appliance, SNI is not supported with a SAN extension certificate.

What happens if I unbind or overwrite a server certificate?

When you unbind or overwrite a server certificate, all the connections and SSL sessions created by using the existing certificate are terminated. When you overwrite an existing certificate, the following message appears:

ERROR:

Warning: Current certificate replaces the previous binding.
<!--NeedCopy-->

See the article at http://support.citrix.com/article/ctx114146 for information about installing an intermediate certificate.

Why am I am getting a “resource already exists” error when I try to install a certificate on the Citrix ADC?

See the article at http://support.citrix.com/article/CTX117284 for instructions for resolving the “resource already exists” error.

I want to create a server certificate on a Citrix ADC appliance to test and evaluate the product. What is the procedure to create a server certificate?

Perform the following procedure to create a test certificate.

Note: A certificate created with this procedure cannot be used to authenticate all the users and browsers. After using the certificate for testing, you should obtain a server certificate signed by an authorized Root CA.

To create a self-signed server certificate:

  1. To create a Root CA certificate, at the CLI, type:

    create ssl rsakey /nsconfig/ssl/test-ca.key 1024
    
    create ssl certreq /nsconfig/ssl/test-ca.csr -keyfile /nsconfig/ssl/test-ca.key
    
    Enter the required information when prompted, and then type the following command:
    
    create ssl cert /nsconfig/ssl/test-ca.cer /nsconfig/ssl/test-ca.csr ROOT_CERT -keyfile /nsconfig/ssl/test-ca.key
    <!--NeedCopy-->
    
  2. Perform the following procedure to create a server certificate and sign it with the root CA certificate that you just created

    1. To create the request and the key, at the CLI, type:

      create ssl rsakey /nsconfig/ssl/test-server.key 1024
      
          create ssl certreq /nsconfig/ssl/test-server.csr -keyfile /nsconfig/ssl/test-server.key
      <!--NeedCopy-->
      
    2. Enter the required information when prompted.

    3. To create a serial-number file, at the CLI, type:

      shell
       # echo '01' >
      /nsconfig/ssl/serial.txt
       # exit
      <!--NeedCopy-->
      
    4. To create a server certificate signed by the root CA certificate created in step 1, at the CLI, type:

      create ssl cert /nsconfig/ssl/test-server.cer /nsconfig/ssl/test-server.csr SRVR_CERT -CAcert /nsconfig/ssl/test-ca.cer -CAkey /nsconfig/ssl/test-ca.key -CAserial /nsconfig/ssl/serial.txt
      <!--NeedCopy-->
      
    5. To create a Citrix ADC certkey, which is the in-memory object that holds the server certificate information for SSL handshakes and bulk encryption, at the CLI, type:

      add ssl certkey test-certkey -cert /nsconfig/ssl/test-server.cer -key /nsconfig/ssl/test-server.key
      <!--NeedCopy-->
      
    6. To bind the certkey object to the SSL virtual server, at the CLI, type:

      bind ssl vserver <vServerName> -certkeyName <cert_name>
      <!--NeedCopy-->
      

I have received a Citrix ADC appliance on which NetScaler software release 9.0 is installed. I have noticed an additional license file on the appliance. Is there any change in the licensing policy starting with NetScaler software release 9.0?

Yes. Starting with Citrix NetScaler software release 9.0, the appliance might not have a single license file. The number of license files depends on the Citrix ADC software release edition. For example, if you have installed the Advanced edition, you might need additional license files for the full functionality of the various features. However, if you have installed the Premium edition, the appliance has only one license file.

How do I export the certificate from Internet Information Service (IIS)?

There are many ways to do this, but by using the following method the appropriate certificate and private key for the Web site are exported. This procedure must be performed on the actual IIS server.

  1. Open the Internet Information Services (IIS) Manager administration tool.

  2. Expand the Web Sites node and locate the SSL-enabled Web site that you want to serve through the Citrix ADC appliance.

  3. Right-click this Web site and click Properties.

  4. Click the Directory Security tab and, in the Secure Communications section of the window, select the View Certificate box.

  5. Click the Details tab, and then click Copy to File.

  6. On the Welcome to the Certificate Export Wizard page, click Next.

  7. Select Yes, export the private key and click Next.

    Note: The private key MUST be exported for SSL Offload to work on the Citrix ADC.

  8. Make sure that the Personal Information Exchange -PKCS #12 radio button is selected, and select only the Include all certificates in the certification path if possible check box. Click Next.

  9. Enter a password and click Next.

  10. Enter a file name and location, and then click Next. Give the file an extension of .PFX.

  11. Click Finish.

How do I convert the PKCS#12 certificate and install it on the Citrix ADC?

  1. Move the exported .PFX certificate file to a location from where it may be copied to the Citrix ADC (that is, to a machine that permits SSH access to the management interface of a Citrix ADC appliance). Copy the certificate to the appliance by using a secure copy utility such as SCP.

  2. Access the BSD shell and convert the certificate (for example, cert.PFX) to .PEM format:

    root@ns# openssl pkcs12 -in cert.PFX -out cert.PEM
    <!--NeedCopy-->
    
  3. To make sure that the converted certificate is in correct x509 format, verify that the following command produces no error:

    root@ns# openssl x509 -in cert.PEM -text
    <!--NeedCopy-->
    
  4. Verify that the certificate file contains a private key. Begin by issuing the following command:

    root@ns# cat cert.PEM
    
    Verify that the output file includes an RSA PRIVATE KEY section.
    
    -----BEGIN RSA PRIVATE KEY-----
    Mkm^s9KMs9023pz/s...
    -----END RSA PRIVATE KEY-----
    <!--NeedCopy-->
    

    The following is another example of an RSA PRIVATE KEY section:

        Bag Attributes
        1.3.6.1.4.1.311.17.2: <No Values>
        localKeyID: 01 00 00 00
        Microsoft CSP Name: Microsoft RSA SChannel Cryptographic
        Provider
        friendlyName:
        4b9cef4cc8c9b849ff5c662fd3e0ef7e_76267e3e-6183-4d45-886e-6e067297b38f
    
        Key Attributes
        X509v3 Key Usage: 10
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-EDE3-CBC,43E7ACA5F4423968
        pZJ2SfsSVqMbRRf6ug37Clua5gY0Wld4frPIxFXyJquUHr31dilW5ta3hbIaQ+Rg
    
        ... (more random characters)
        v8dMugeRplkaH2Uwt/mWBk4t71Yv7GeHmcmjafK8H8iW80ooPO3D/ENV8X4U/tlh
    
        5eU6ky3WYZ1BTy6thxxLlwAullynVXZEflNLxq1oX+ZYl6djgjE3qg==
        -----END RSA PRIVATE KEY-----
    <!--NeedCopy-->
    

    The following is a SERVER CERTIFICATE section:

        Bag Attributes
        localKeyID: 01 00 00 00
        friendlyName: AG Certificate
        subject=/C=AU/ST=NSW/L=Wanniassa/O=Dave Mother
        Asiapacific/OU=Support/CN=davemother.food.lan
        issuer=/DC=lan/DC=food/CN=hotdog
        -----BEGIN CERTIFICATE-----
        MIIFiTCCBHGgAwIBAgIKCGryDgAAAAAAHzANBgkqhkiG9w0BAQUFADA8MRMwEQYK
    
        ... (more random characters) 5pLDWYVHhLkA1pSxvFjNJHRSIydWHc5ltGyKqIUcBezVaXyel94pNSUYx07NpPV/
    
        MY2ovQyQZM8gGe3+lGFum0VHbv/y/gB9HhFesog=
        -----END CERTIFICATE-----
    <!--NeedCopy-->
    

    The following is an INTERMEDIATE CA CERTIFICATE section:

        Bag Attributes: <Empty Attributes>
        subject=/DC=lan/DC=food/CN=hotdog
        issuer=/DC=lan/DC=food/CN=hotdog
        -----BEGIN CERTIFICATE-----
        MIIESDCCAzCgAwIBAgIQah20fCRYTY9LRXYMIRaKGjANBgkqhkiG9w0BAQUFADA8
    
        ... (more random characters) Nt0nksawDnbKo86rQcNnY5xUs7c7pj2zxj/IOsgNHUp5W6dDI9pQoqFFaDk=
    
        -----END CERTIFICATE-----
    <!--NeedCopy-->
    

    Further Intermediate CA certificates may follow, depending on the certification path of the exported certificate.

  5. Open the .PEM file in a text editor

  6. Locate the first line of the .PEM file and the first instance of the following line, and copy those two lines and all the lines between them:

    -----END CERTIFICATE-----

    Note: Make sure that last copied line is the first

    -----END CERTIFICATE----- line in the .PEM file.
<!--NeedCopy-->
  1. Paste the copied lines into a new file. Call the new file something intuitive, such as cert-key.pem. This is the certificate-key pair for the server hosting the HTTPS service. This file should contain both the section labeled RSA PRIVATE KEY and the section labeled SERVER CERTIFICATE in the example above.

    Note: The certificate-key pair file contains the private key and must therefore be kept secure.

  2. Locate any subsequent sections beginning with —–BEGIN CERTIFICATE—– and ending with —END CERTIFICATE—–, and copy each such section to a separate new file.

    These sections correspond to certificates of trusted CAs that have been included in the certification path. These sections should be copied and pasted into new individual files for these certificates. For example, the INTERMEDIATE CA CERTIFICATE section of the example above should be copied and pasted into a new file).

    For multiple intermediate CA certificates in the original file, create new files for each intermediate CA certificate in the order in which they appear in the file. Keep track (using appropriate filenames) of the order in which the certificates appear, as they need to be linked together in the correct order in a later step.

  3. Copy the certificate-key file (cert-key.pem) and any additional CA certificate files into the /nsconfig/ssl directory on the Citrix ADC appliance.

  4. Exit the BSD shell and access the Citrix ADC prompt.

  5. Follow the steps in “Install the certificate-key files on the appliance” to install the key/certificate once uploaded on the device.

How do I convert the PKCS#7 certificate and install it on the Citrix ADC appliance?

You can use OpenSSL to convert a PKCS #7 Certificate to a format recognizable by the Citrix ADC appliance. The procedure is identical to the procedure for PKCS #12 certificates, except that you invoke OpenSSL with different parameters. The steps for converting PKCS #7 certificates are as follows:

  1. Copy the certificate to the appliance by using a secure copy utility, such as SCP.

  2. Convert the certificate (for example, cert.P7B ) to PEM format:

    openssl pkcs7 -inform DER -in cert.p7b -print_certs -text -out cert.pem
    <!--NeedCopy-->
    
  3. Follow steps 3 through 7 as described in the answer for PKCS #12 certificates. Note: Before loading the converted PKCS #7 certificate to the appliance, be sure to verify that it contains a private key, exactly as described in step 3 for the PKCS #12 procedure. PKCS #7 certificates, particularly those exported from IIS, do not typically contain a private key.

When I bind a cipher to a virtual server or service by using the bind cipher command, I see the error message “Command deprecated.”?

The command for binding a cipher to a virtual server or service has changed.

Use the bind ssl vserver <vsername> -ciphername <ciphername> command to bind an SSL cipher to an SSL virtual server.

Use the bind ssl service <serviceName> -ciphername <ciphername> command to bind an SSL cipher to an SSL service.

Note: New ciphers and cipher groups are added to the existing list and not replaced.

Why can’t I create a new cipher group and bind ciphers to it by using the add cipher command?

The add cipher command functionality has changed in release 10. The command only creates a cipher group. To add ciphers to the group, use the bind cipher command.

OpenSSL

How do I use OpenSSL to convert certificates between PEM and DER?

To use OpenSSL, you must have a working installation of the OpenSSL software and be able to execute Openssl from the command line.

x509 certificates and RSA keys can be stored in a number of different formats.

Two common formats are DER (a binary format used primarily by Java and Macintosh platforms) and PEM (a base64 representation of DER with header and footer information, which is used primarily by UNIX and Linux platforms). There is also an obsolete NET (Netscape server) format that was used by earlier versions of IIS (up to and including 4.0) and various other less common formats that are not covered in this article.

A key and the corresponding certificate, as well as the root and any intermediate certificates, can also be stored in a single PKCS#12 (.P12, .PFX) file.

Procedure

Use the Openssl command to convert between formats as follows:

  1. To convert a certificate from PEM to DER:

    x509 -in input.crt -inform PEM -out output.crt -outform DER
    <!--NeedCopy-->
    
  2. To convert a certificate from DER to PEM:

    x509 -in input.crt -inform DER -out output.crt -outform PEM
    <!--NeedCopy-->
    
  3. To convert a key from PEM to DER:

    rsa -in input.key -inform PEM -out output.key -outform DER
    <!--NeedCopy-->
    
  4. To convert a key from DER to PEM:

    rsa -in input.key -inform DER -out output.key -outform PEM
    <!--NeedCopy-->
    

    Note: If the key you are importing is encrypted with a supported symmetric cipher, you are prompted to enter the pass-phrase.

    Note: To convert a key to or from the obsolete NET (Netscape server) format, substitute NET for PEM or DER as appropriate. The stored key is encrypted in a weak unsalted RC4 symmetric cipher, so a pass-phrase will be requested. A blank pass-phrase is acceptable.

System Limits

What are the important numbers to remember?

  1. Create Certificate Request:

    • Request File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • PEM Passphrase (For Encrypted Key): Maximum 31 characters
    • Common Name: Maximum 63 characters
    • City: Maximum 127 characters
    • Organization Name: Maximum 63 characters
    • State/Province Name: Maximum 63 characters
    • Email Address: Maximum 39 Characters
    • Organization Unit: Maximum 63 characters
    • Challenge Password: Maximum 20 characters
    • Company Name: Maximum 127 characters
  2. Create Certificate:

    • Certificate File Name: Maximum 63 characters
    • Certificate Request File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • PEM Passphrase: Maximum 31 characters
    • Validity Period: Maximum 3650 days
    • CA Certificate File Name: Maximum 63 characters
    • CA Key File Name: Maximum 63 characters
    • PEM Passphrase: Maximum 31 characters
    • CA Serial Number File: Maximum 63 characters
  3. Create and Install a Server Test Certificate:

    • Certificate File Name: Maximum 31 characters
    • Fully Qualified Domain Name: Maximum 63 characters
  4. Create Diffie-Hellman (DH) key:
    • DH Filename (with path): Maximum 63 characters
    • DH Parameter Size: Maximum 2048 bits
  5. Import PKCS12 key:

    • Output File Name: Maximum 63 characters
    • PKCS12 File Name: Maximum 63 characters
    • Import Password: Maximum 31 characters
    • PEM Passphrase: Maximum 31 characters
    • Verify PEM Passphrase: Maximum 31 characters
  6. Export PKCS12
    • PKCS12 File Name: Maximum 63 characters
    • Certificate File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • Export Password: Maximum 31 characters
    • PEM Passphrase: Maximum 31 characters
  7. CRL Management:
    • CA Certificate File Name: Maximum 63 characters
    • CA Key File Name: Maximum 63 characters
    • CA Key File Password: Maximum 31 characters
    • Index File Name: Maximum 63 characters
    • Certificate File Name: Maximum 63 characters
  8. Create RSA Key:
    • Key Filename: Maximum 63 characters
    • Key Size: Maximum 4096 bits
    • PEM Passphrase: Maximum 31 characters
    • Verify Passphrase: Maximum 31 characters
  9. Create DSA Key:
    • Key Filename: Maximum 63 characters
    • Key Size: Maximum 4096 bits
    • PEM Passphrase: Maximum 31 characters
    • Verify Passphrase: Maximum 31 characters
  10. Change advanced SSL settings:
    • Maximum CRL memory size: Maximum 1024 Mbytes
    • Encryption trigger timeout (10 mS ticks): Maximum 200
    • Encryption trigger packet count: Maximum 50
    • OCSP cache size: Maximum 512 Mbytes
  11. Install Certificate:
    • Certificate-Key pair Name: Maximum 31 characters
    • Certificate File Name: Maximum 63 characters
    • Private Key File Name: Maximum 63 characters
    • Password: Maximum 31 characters
    • Notification Period: Maximum 100
  12. Create Cipher Group:
    • Cipher Group Name: Maximum 39 characters
  13. Create CRL:
    • CRL Name: Maximum 31 characters
    • CRL File: Maximum 63 characters
    • URL: Maximum 127 characters
    • Base DN: Maximum 127 characters
    • Bind DN: Maximum 127 characters
    • Password: Maximum 31 characters
    • Day(s): Maximum 31
  14. Create SSL Policy:
    • Name: Maximum 127 characters
  15. Create SSL Action:
    • Name: Maximum 127 characters
  16. Create OCSP Responder:
    • Name: Maximum 32 characters
    • URL: Maximum 128 characters
    • Batching Depth: Maximum 8
    • Batching Delay: Maximum 10000
    • Produced At Time Skew: Maximum 86400
    • Request Time-out: Maximum120000
  17. Create Virtual Server:
    • Name: Maximum 127 characters
    • Redirect URL: Maximum 127 characters
    • Client Time-out: Maximum 31536000 secs
  18. Create Service:
    • Name: Maximum 127 characters
    • Idle Time-out (secs): Client: Maximum 31536000 Server: Maximum 31536000
  19. Create Service Group:
    • Service Group Name: Maximum 127 characters
    • Server ID: Maximum 4294967295
    • Idle Time-out (secs): Client: Maximum value 31536000 Server: Maximum 31536000
  20. Create Monitor:
    • Name: Maximum 31 characters
  21. Create Server:
    • Server Name: Maximum 127 characters
    • Domain Name: Maximum 255 characters
    • Resolve Retry: Maximum 20939 secs
SSL FAQs