Product Documentation

Create and Use SSL Certificates on a Citrix ADC Appliance

Perform the following steps to create a certificate and bind it to an SSL virtual server.

  • Create a private key.
  • Create a certificate signing request (CSR).
  • Submit the CSR to a CA.
  • Create a certificate-key pair.
  • Bind the certificate-key pair to an SSL virtual server

The following diagram illustrates the end-to-end flow.

End to end flow

Create a private key

The private key is the most important part of a digital certificate. By definition, this key is not to be shared with anyone and should be kept securely on the Citrix ADC appliance. Any data encrypted with the public key can be decrypted only by using the private key.

The certificate that you receive from the CA is valid only with the private key that was used to create the CSR. The key is required for adding the certificate to the Citrix ADC appliance.

Important:

Be sure to limit access to your private key. Anyone who has access to your private key can decrypt your SSL data. Note:

The length of the SSL key name allowed includes the length of the absolute path name if the path is included in the key name.

Create an RSA private key by using the CLI

At the command prompt, type:

create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (DER | PEM )] [-des | -des3 | -aes256] {-password } [-pkcs8]

Example:

create rsakey RSA_Key 2048 -aes256 -password 123456 -pkcs8

Create an RSA private key by using the GUI

  1. Navigate to Traffic Management > SSL.

  2. In the SSL Keys group, select Create RSA Key.

    Create RSA Key

  3. Enter values for the following parameters and click Create.

    • Key Filename - Name for and, optionally, path to the RSA key file. /nsconfig/ssl/ is the default path.
    • Key Size - Size, in bits, of the RSA key. Can range from 512 bits to 4096 bits.
    • Public Exponent Value - Public exponent for the RSA key. The exponent is part of the cipher algorithm and is required for creating the RSA key.
    • Key Format - Format in which the RSA key file is stored on the appliance.
    • PEM Encoding Algorithm - Encrypt the generated RSA key by using the AES 256, DES, or Triple-DES (DES3) algorithm.
    • PEM Passphrase - Optionally enter a pass phrase for the key.

    Enter values

Create a certificate signing request

Use the private key to create a certificate signing request and submit to a CA.

Create a certificate signing request by using the CLI

At the command prompt, type:

create ssl certreq <reqFile> -keyFile <input_filename> | -fipsKeyName <string>) [-keyForm (DER | PEM) {-PEMPassPhrase }] -countryName <string> -stateName <string> -organizationName <string> -organizationUnitName <string> -localityName <string> -commonName <string> -emailAddress <string> {-challengePassword } -companyName <string> -digestMethod ( SHA1 | SHA256 )

Example:

create ssl certreq priv_csr_sha256 -keyfile priv_2048_2 -keyform PEM -countryName IN -stateName Karnataka -localityName Bangalore -organizationName Citrix -organizationUnitName NS -digestMethod SHA256

Create a certificate signing request by using the GUI

  1. Navigate to Traffic Management > SSL.
  2. In SSL Certificate, click Create Certificate Signing Request (CSR).

    Create Certificate Signing Request

  3. Enter values for the following parameters, and click Create.

    • Request Filename - Name for and, optionally, path to the certificate signing request (CSR). /nsconfig/ssl/ is the default path.

    • Key Filename - Name of and, optionally, path to the private key used to create the certificate signing request, which then becomes part of the certificate-key pair. The private key can be either an RSA or a DSA key. The key must be present in the appliance’s local storage. /nsconfig/ssl is the default path.

    • Common Name

    • Organization Name

    • State

    • Country

    Enter values for CSR

Submit the CSR to the Certificate Authority

Most certificate authorities (CA) accept certificate submissions by email. The CA returns a valid certificate to the email address from which you submit the CSR.

Add a certificate-key pair

Install the signed certificate received from the CA.

Note: Certificates and keys are stored in the /nsconfig/ssl directory by default. If your certificates or keys are stored in any other location, you must provide the absolute path to the files on the Citrix ADC appliance.

Add a certificate-key pair by using the CLI

add ssl certKey <certkeyName> -cert <string>[(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )] [<passplain>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]

show ssl certKey [<certkeyName>]

Example:

add ssl certKey rsa_certkeypair -cert server_cert.pem -key RSA_Key.pem -password ssl -expiryMonitor ENABLED -notificationPeriod 30
 Done

Add a certificate-key pair by using the GUI

  1. Navigate to Traffic Management > SSL > Certificates > Server.

    Install Certificate

  2. Enter values for the following parameters and click Install.

    • Certificate-Key Pair Name - Name for the certificate and private-key pair.

    • Certificate File Name - Signed certificate received from the CA.

    • Key File Name - Name of and, optionally, path to the private-key file that is used to form the certificate-key pair.

    type values

Bind the certificate-key pair to an SSL virtual server

Important: Link any intermediate certificates to this certificate before binding the certificate to an SSL virtual server. For information about linking certificates, see Create a chain of certificates.

The certificate that is used for processing SSL transactions must be bound to the virtual server that receives the SSL data. If you have multiple virtual servers receiving SSL data, a valid certificate-key pair must be bound to each of them.

Bind an SSL certificate-key pair to a virtual server by using the CLI

At the command prompt, type the following commands to bind an SSL certificate-key pair to a virtual server and verify the configuration:

bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName> -CA -skipCAName
show ssl vserver <vServerName>

Example:

bind ssl vs vs1 -certkeyName cert2 -CA -skipCAName
 Done
sh ssl vs vs1

 Advanced SSL configuration for VServer vs1:

 DH: DISABLED

 Ephemeral RSA: ENABLED Refresh Count: 0

 Session Reuse: ENABLED Timeout: 120 seconds

 Cipher Redirect: DISABLED

 SSLv2 Redirect: DISABLED

 ClearText Port: 0

 Client Auth: DISABLED

 SSL Redirect: DISABLED

 Non FIPS Ciphers: DISABLED

 SNI: DISABLED

 OCSP Stapling: DISABLED

 HSTS: DISABLED

 IncludeSubDomains: NO

 HSTS Max-Age: 0

 SSLv2: DISABLED SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: DISABLED  TLSv1.2: DISABLED

 Push Encryption Trigger: Always

 Send Close-Notify: YES

 Strict Sig-Digest Check: DISABLED

ECC Curve: P_256, P_384, P_224, P_521

 1) CertKey Name: cert1 CA Certificate OCSPCheck: Optional CA_Name Sent
 2) CertKey Name: cert2 CA Certificate OCSPCheck: Optional CA_Name Skipped
 1) Cipher Name: DEFAULT

Description: Default cipher list with encryption strength >= 128bit
Done

Bind an SSL certificate-key pair to a virtual server by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers and open an SSL virtual server. Click inside the Certificate section.

    Bind Certificate to Virtual Server

  2. Click the arrow to select the certificate-key pair.

    Click arrow to select certificate-key pair

  3. Select the certificate-key pair from the list.

    Select certificate-key pair

  4. Bind the certificate-key pair to the virtual server.

    Bind the certificate to the virtual server