-
Getting Started with Citrix NetScaler
-
Deploy a Citrix NetScaler VPX instance
-
Install a Citrix NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for Installing NetScaler VPX Virtual Appliances on Linux-KVM Platform
-
Provisioning the NetScaler Virtual Appliance by using OpenStack
-
Provisioning the NetScaler Virtual Appliance by using the Virtual Machine Manager
-
Configuring NetScaler Virtual Appliances to Use SR-IOV Network Interface
-
Configuring NetScaler Virtual Appliances to use PCI Passthrough Network Interface
-
Provisioning the NetScaler Virtual Appliance by using the virsh Program
-
-
Deploying NetScaler VPX Instances on AWS
-
Upgrade and downgrade a NetScaler appliance
-
-
-
-
-
-
Overriding Static Proximity Behavior by Configuring Preferred Locations
-
Example of a Complete Parent-Child Configuration Using the Metrics Exchange Protocol
-
Configuring Global Server Load Balancing for DNS Queries with NAPTR records
-
Using the EDNS0 Client Subnet Option for Global Server Load Balancing
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Use source IP address of the client when connecting to the server
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
-
-
Certificate revocation lists
-
Support for Gemalto SafeNet Network hardware security module
-
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
Thank you for the feedback
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Certificate revocation lists
A certificate issued by a CA typically remains valid until its expiration date. However, in some circumstances, the CA may revoke the issued certificate before the expiration date (for example, when an owner’s private key is compromised, a company’s or individual’s name changes, or the association between the subject and the CA changes).
A Certificate Revocation List (CRL) identifies invalid certificates by serial number and issuer.
Certificate authorities issue CRLs on a regular basis. You can configure the NetScaler appliance to use a CRL to block client requests that present invalid certificates.
If you already have a CRL file from a CA, add that to the NetScaler appliance. You can configure refresh options. You can also configure the NetScaler to sync the CRL file automatically at a specified interval, from either a web location or an LDAP location. The appliance supports CRLs in either the PEM or the DER file format. Be sure to specify the file format of the CRL file being added to the NetScaler appliance.
If you have used the NetScaler as a CA to create certificates that are used in SSL deployments, you can also create a CRL to revoke a particular certificate. This feature can be used, for example, to ensure that self-signed certificates that are created on the NetScaler are not used either in a production environment or beyond a particular date.
Note:
By default, CRLs are stored in the /var/netscaler/ssl directory on the NetScaler appliance.
Create a CRL on the ADC
Since you can use the NetScaler appliance to act as a certificate authority and create self-signed certificates, you can also revoke certificates that you have created and certificates whose CA certificate you own.
The appliance must revoke invalid certificates before creating a CRL for those certificates. The appliance stores the serial numbers of revoked certificates in an index file and updates the file each time it revokes a certificate. The index file is automatically created the first time a certificate is revoked.
Revoke a certificate or create a CRL by using the CLI
At the command prompt, type the following command:
create ssl crl <CAcertFile> <CAkeyFile> <indexFile> (-revoke <input_filename> | -genCRL <output_filename>)
<!--NeedCopy-->
Example:
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -revoke Invalid-1
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -genCRL CRL-1
<!--NeedCopy-->
Revoke a certificate or create a CRL by using the GUI
- Navigate to Traffic Management > SSL and, in the Getting Started group, select CRL Management.
- Enter the certificate details and, in the Choose Operation list, select Revoke Certificate or Generate CRL.
Add an existing CRL to the ADC
Before you configure the CRL on the NetScaler appliance, make sure that the CRL file is stored locally on the NetScaler appliance. In the case of an HA setup, the CRL file must be present on both NetScaler appliances, and the directory path to the file must be the same on both appliances.
Add a CRL on the NetScaler by using the CLI
At the command prompt, type the following commands to add a CRL on the NetScaler and verify the configuration:
add ssl crl <crlName> <crlPath> [-inform (DER | PEM)]
show ssl crl [<crlName>]
<!--NeedCopy-->
Example:
> add ssl crl crl-one /var/netscaler/ssl/CRL-one -inform PEM
Done
show ssl crl crl-one
Name: crl-one Status: Valid, Days to expiration: 29
CRL Path: /var/netscaler/ssl/CRL-one
Format: PEM CAcert: samplecertkey
Refresh: DISABLED
Version: 1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US,ST=California,L=Santa Clara,O=NetScaler Inc.,OU=SSL Acceleration,CN=www.ns.com/emailAddress=support@NetScaler appliance.com
Last_update:Jun 15 10:53:53 2010 GMT
Next_update:Jul 15 10:53:53 2010 GMT
1) Serial Number: 00
Revocation Date:Jun 15 10:51:16 2010 GMT
Done
<!--NeedCopy-->
Add a CRL on the NetScaler by using the GUI
Navigate to Traffic Management > SSL > CRL, and add a CRL.
Configure CRL refresh parameters
A CRL is generated and published by a Certificate Authority periodically or, in some cases, immediately after a particular certificate is revoked. Citrix recommends that you update CRLs on the NetScaler appliance regularly, for protection against clients trying to connect with certificates that are not valid.
The NetScaler appliance can refresh CRLs from a web location or an LDAP directory. When you specify refresh parameters and a web location or an LDAP server, the CRL does not have to be present on the local hard disk drive at the time you execute the command. The first refresh stores a copy on the local hard disk drive, in the path specified by the CRL File parameter. The default path for storing the CRL is /var/netscaler/ssl.
Note: In release 10.0 and later, the method for refreshing a CRL is not included by default. You must explicitly specify an HTTP or LDAP method. If you are upgrading from an earlier release to release 10.0 or later, you must add a method and run the command again.
Configure CRL autorefresh by using the CLI
At the command prompt, type the following commands to configure CRL auto refresh and verify the configuration the following commands to configure CRL auto refresh and verify the configuration:
set ssl crl <crlName> [-refresh ( ENABLED | DISABLED )] [-CAcert <string>] [-url <URL | -server <ip_addr|ipv6_addr>] [-method HTTP | (LDAP [-baseDN <string>] [-bindDN <string>] [-scope ( Base | One )] [-password <string>] [-binary ( YES | NO )])] [-port <port>] [-interval <interval>]
show ssl crl [<crlName>]
<!--NeedCopy-->
Example:
set CRL crl1 -refresh enabled -method ldap -inform DER -CAcert ca1 -server 10.102.192.192 -port 389 -scope base -baseDN "cn=clnt_rsa4_multicert_der,ou=eng,o=ns,c=in" -time 00:01
set ssl crl crl1 -refresh enabled -method http -cacert ca1 -port 80 -time 00:10 -url http://10.102.192.192/crl/ca1.crl
sh crl
1) Name: crl1 Status: Valid, Days to expiration: 355
CRL Path: /var/netscaler/ssl/crl1
Format: PEM CAcert: ca1
Refresh: ENABLED Method: HTTP
URL: http://10.102.192.192/crl/ca1.crl Port:80
Refresh Time: 00:10
Last Update: Successful, Date:Tue Jul 6 14:38:13 2010
Done
<!--NeedCopy-->
Configure CRL autorefresh using LDAP or HTTP by using the GUI
- Navigate to Traffic Management > SSL > CRL.
- Open a CRL, and select Enable CRL Auto Refresh.
Note: If the new CRL has been refreshed in the external repository before its actual update time as specified by the Last Update time field of the CRL, you should immediately refresh the CRL on the NetScaler appliance.
To view the last update time, select the CRL, and click Details.
Synchronize CRLs
The NetScaler appliance uses the most recently distributed CRL to prevent clients with revoked certificates from accessing secure resources.
If CRLs are updated often, the NetScaler appliance needs an automated mechanism to fetch the latest CRLs from the repository. You can configure the appliance to update CRLs automatically at a specified refresh interval.
The appliance maintains an internal list of CRLs that need to be updated at regular intervals. At these specified intervals, the appliance scans the list for CRLs that need to be updated, connects to the remote LDAP server or HTTP server, retrieves the latest CRLs, and then updates the local CRL list with the new CRLs.
Note: If CRL check is set to mandatory when the CA certificate is bound to the virtual server, and the initial CRL refresh fails, all client-authentication connections with the same issuer as the CRL are rejected as REVOKED until the CRL is successfully refreshed.
You can specify the interval at which the CRL refresh should be carried out. You can also specify the exact time.
Synchronize CRL autorefresh by using the CLI
At the command prompt, type the following command:
set ssl crl <crlName> [-interval <interval>] [-day <integer>] [-time <HH:MM>]
<!--NeedCopy-->
Example:
set ssl crl CRL-1 -refresh ENABLE -interval MONTHLY -days 10 -time 12:00
<!--NeedCopy-->
Synchronize CRL refresh by using the GUI
- Navigate to Traffic Management > SSL > CRL.
- Open a CRL, select enable CRL Auto Refresh, and specify the interval.
Perform client authentication by using a certificate revocation list
If a certificate revocation list (CRL) is present on a NetScaler appliance, a CRL check is performed regardless of whether performing the CRL check is set to mandatory or optional.
The success or failure of a handshake depends on a combination of the following factors:
- Rule for CRL check
- Rule for client certificate check
- State of the CRL configured for the CA certificate
The following table lists the results of the possible combinations for a handshake involving a revoked certificate.
Table 1. Result of a Handshake with a Client Using a Revoked Certificate
| Rule for CRL Check | Rule for Client Certificate Check | State of the CRL Configured for the CA certificate | Result of a Handshake with a Revoked Certificate |
|---|---|---|---|
| Optional | Optional | Missing | Success |
| Optional | Mandatory | Missing | Success |
| Optional | Mandatory | Present | Failure |
| Mandatory | Optional | Missing | Success |
| Mandatory | Mandatory | Missing | Failure |
| Mandatory | Optional | Present | Success |
| Mandatory | Mandatory | Present | Failure |
| Optional/Mandatory | Optional | Expired | Success |
| Optional/Mandatory | Mandatory | Expired | Failure |
Note:
The CRL check is optional by default. To change from optional to mandatory or vice-versa, you must first unbind the certificate from the SSL virtual server, and then bind it again after changing the option.
In the output of the sh ssl vserver command, OCSP check: optional implies that a CRL check is also optional. The CRL check settings are displayed in the output of the sh ssl vserver command only if CRL check is set to mandatory. If CRL check is set to optional, the CRL check details do not appear.
To configure CRL check by using the CLI
At the command prompt, type the following command:
bind ssl vserver <vServerName> -certkeyName <string> [(-CA -crlCheck ( Mandatory | Optional ))]
sh ssl vserver
<!--NeedCopy-->
Example:
bind ssl vs v1 -certkeyName ca -CA -crlCheck mandatory
> sh ssl vs v1
Advanced SSL configuration for VServer v1:
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: ENABLED Client Cert Required: Mandatory
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: DISABLED
OCSP Stapling: DISABLED
HSTS: DISABLED
HSTS IncludeSubDomains: NO
HSTS Max-Age: 0
SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
ECC Curve: P_256, P_384, P_224, P_521
1) CertKey Name: ca CA Certificate CRLCheck: Mandatory CA_Name Sent
1) Cipher Name: DEFAULT
Description: Predefined Cipher Alias
Done
<!--NeedCopy-->
Configure CRL check by using the GUI
- Navigate to Traffic Management > Load Balancing > Virtual Servers, and open an SSL virtual server.
- Click in the Certificates section.
- Select a certificate and, in the OCSP and CRL Check list, select CRL Mandatory.
Thank you for the feedback
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.