Product Documentation

Binding the Certificate-Key Pair to the SSL-Based Virtual Server

May 23, 2017

An SSL certificate is an integral element of the SSL encryption and decryption process. The certificate is used during an SSL handshake to establish the identity of the SSL server.

The certificate being used for processing SSL transactions must be bound to the virtual server that receives the SSL data. If you have multiple virtual servers receiving SSL data, a valid certificate-key pair must be bound to each of them.

You can use a valid, existing SSL certificate that you have uploaded to the NetScaler appliance. As an alternative for testing purposes, you can create your own SSL certificate on the appliance. Intermediate certificates created by using a FIPS key on the NetScaler cannot be bound to an SSL virtual server.

As a part of the SSL handshake, in the certificate request message during client authentication, the server lists the distinguished names (DNs) of all the certificate authorities (CAs) bound to the server from which it will accept a client certificate. If you do not want the DN name of a specific CA certificate to be sent to the SSL client, set the skipCA flag. This setting indicates that the particular CA certificate's distinguished name should not be sent to the SSL client.

For details on how to create your own certificate, see Managing Certificates.

Note: Citrix recommends that you use only valid SSL certificates that have been issued by a trusted certificate authority.

To bind an SSL certificate-key pair to a virtual server by using the command line interface

At the command prompt, type the following commands to bind an SSL certificate-key pair to a virtual server and verify the configuration:

  • bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName> -CA -skipCAName
  • show ssl vserver <vServerName>

Example

 
 > bind ssl vs vs1 -certkeyName cert2 -CA -skipCAName 
 Done 
 > sh ssl vs vs1 
 Advanced SSL configuration for VServer vs1: 
 DH: DISABLED 
 Ephemeral RSA: ENABLED Refresh Count: 0 
 Session Reuse: ENABLED Timeout: 120 seconds 
 Cipher Redirect: DISABLED 
 SSLv2 Redirect: DISABLED 
 ClearText Port: 0 
 Client Auth: DISABLED 
 SSL Redirect: DISABLED 
 Non FIPS Ciphers: DISABLED 
 SNI: DISABLED 
 SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 
 Push Encryption Trigger: Always 
 Send Close-Notify: YES 
 1) CertKey Name: cert1 CA Certificate OCSPCheck: Optional CA_Name Sent 
 2) CertKey Name: cert2 CA Certificate OCSPCheck: Optional CA_Name Skipped 
 1) Cipher Name: DEFAULT 
 Description: Predefined Cipher Alias 
Done

To unbind an SSL certificate-key pair from a virtual server by using the command line interface

If you try to unbind a certificate-key pair from a virtual server by using the unbind ssl certKey <certkeyName> command, an error message appears because the syntax of the command has changed. At the command prompt, type the following command:

unbind ssl vserver <vServerName> -certkeyName <string>

Example

 unbind ssl vserver vssl -certkeyName sslckey

To bind an SSL certificate-key pair to a virtual server by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Open an SSL virtual server and, in Advanced Settings, click SSL Certificate.
  3. Bind a server certificate or CA certificate to the virtual server. To add a server certificate as an SNI certificate, select Server Certificate for SNI.