Product Documentation

Adding or Updating a Certificate-Key Pair

Sep 01, 2016

For any SSL transaction, the server needs a valid certificate and the corresponding private and public key pair. The SSL data is encrypted with the server's public key, which is available through the server's certificate. Decryption requires the corresponding private key.

Because the NetScaler appliance offloads SSL transactions from the server, the server's certificate and private key must be present on the appliance, and the certificate must be paired with its corresponding private key. This certificate-key pair must then be bound to the virtual server that processes the SSL transactions.
Note: From release 11.0, the default certificate on a NetScaler appliance is 2048-bits. In earlier builds, the default certificate was 512-bits or 1024-bits. After upgrading to release 11.0, you must delete all your old certificate-key pairs starting with "ns-", and then restart the appliance to automatically generate a 2048-bit default certificate.
Both the certificate and the key must be in local storage on the NetScaler appliance before they can be added to the appliance. If your certificate or key file is not on the appliance, upload it to the appliance before you create the pair.
Important: Certificates and keys are stored in the /nsconfig/ssl directory by default. If your certificates or keys are stored in any other location, you must provide the absolute path to the files on the NetScaler appliance. The NetScaler FIPS appliances do not support external keys (non-FIPS keys). On a FIPS appliance, you cannot load keys from a local storage device such as a hard disk or flash memory. The FIPS keys must be present in the Hardware Security Module (HSM) of the appliance.

On a NetScaler MPX appliance and a NetScaler FIPS appliance, only RSA private keys are supported. On a VPX virtual appliance, both RSA and DSA private keys are supported. On an SDX appliance if SSL chips are assigned to an instance, then only RSA private keys are supported. However, if SSL chips are not assigned to an instance, then both RSA and DSA private keys are supported. In all the cases, you can bind a CA certificate with either RSA or DSA keys.

Set the notification period and enable the expiry monitor to issue a prompt before the certificate expires.

The NetScaler appliance supports the following input formats of the certificate and the private-key files:
  • PEM - Privacy Enhanced Mail
  • DER - Distinguished Encoding Rule
  • PFX - Personal Information Exchange
The format is automatically detected by the software. Therefore, you are no longer required to specify the format in the inform parameter. If you do specify the format (correct or incorrect), it is ignored by the software. The format of the certificate and the key file must be the same.
Note: A certificate must be signed by using one of the following hash algorithms:
  • MD5
  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384 (supported only on the front end)
  • SHA-512 (supported only on the front end)
An MPX appliance supports certificates of 512 or more bits, up to the following sizes:
  • 4096-bit server certificate on the virtual server
  • 4096-bit client certificate on the service
  • 4096-bit CA certificate (includes intermediate and root certificates)
  • 4096-bit certificate on the back-end server
  • 4096-bit client certificate (if client authentication is enabled on the virtual server)
A VPX virtual appliance supports certificates of 512 or more bits, up to the following sizes:
  • 4096-bit server certificate on the virtual server
  • 4096-bit client certificate on the service
  • 4096-bit CA certificate (includes intermediate and root certificates)
  • 2048-bit certificate on the back-end server
  • 2048-bit client certificate (if client authentication is enabled on the virtual server)

메모

A NetScaler SDX appliance supports certificates of 512 or more bits. Each NetScaler VPX instance hosted on the appliance supports the certificate sizes listed above for a VPX virtual appliance. However, if an SSL chip is assigned to an instance, that instance supports the certificate sizes supported by an MPX appliance.

To add a certificate-key pair by using the command line interface

At the command prompt, type the following commands to add a certificate-key pair and verify the configuration:

  • add ssl certKey <certkeyName> -cert <string>[(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )] [<passplain>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]
  • show ssl certKey [<certkeyName>]

Example

 
> add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl -expiryMonitor ENABLED -notificationPeriod 30 
 Done 
Note: For FIPS appliances, replace -key with -fipskey 
> show ssl certKey sslckey 
        Name: sslckey           Status: Valid,   Days to expiration:8418 
        Version: 3 
        Serial Number: 01 
        Signature Algorithm: md5WithRSAEncryption 
        Issuer:  C=US,ST=SJ,L=SJ,O=NS,OU=NSSSL,CN=www.root.com 
        Validity 
                Not Before: Jul 15 02:25:01 2005 GMT 
                Not After : Nov 30 02:25:01 2032 GMT 
        Subject:  C=US,ST=SJ,L=SJ,O=NS,OU=NSSSL,CN=www.server.com 
        Public Key Algorithm: rsaEncryption 
        Public Key size: 2048 
 Done 

To update or remove a certificate-key pair by using the command line interface

To modify the expiry monitor or notification period in a certificate-key pair, use the set ssl certkey command. To replace the certificate or key in a certificate-key pair, use the update ssl certkey command. The update ssl certkey command has an additional parameter for overriding the domain check. For both commands, enter the name of an existing certificate-key pair. To remove an SSL certificate-key pair, use the rm ssl certkey command, which accepts only the <certkeyName> argument.

To add or update a certificate-key pair by using the configuration utility

Navigate to Traffic Management > SSL > Certificates, and configure a certificate-key pair.