Product Documentation

Configuring Ephemeral RSA

Sep 01, 2016

Ephemeral RSA allows export clients to communicate with the secure server even if the server certificate does not support export clients (1024-bit certificate). If you want to prevent export clients from accessing the secure web object and/or resource, you need to disable ephemeral RSA key exchange.

By default, this feature is enabled on the NetScaler appliance, with the refresh count set to zero (infinite use).


The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted but reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the system restarts.

To configure Ephemeral RSA by using the command line interface

At the command prompt, type the following commands to configure ephemeral RSA and verify the configuration:

  • set ssl vserver <vServerName> -eRSA (enabled | disabled) -eRSACount <positive_integer>
  • show ssl vserver <vServerName>


> set ssl vserver vs-server -eRSA ENABLED -eRSACount 1000 
> show ssl vserver vs-server 
        Advanced SSL configuration for VServer vs-server: 
        DH: DISABLED 
        Ephemeral RSA: ENABLED          Refresh Count: 1000 
        Session Reuse: ENABLED          Timeout: 120 seconds 
        Cipher Redirect: DISABLED 
        SSLv2 Redirect: DISABLED 
        ClearText Port: 0 
        Client Auth: DISABLED 
        SSL Redirect: DISABLED 
        Non FIPS Ciphers: DISABLED 
1)      Cipher Name: DEFAULT 
        Description: Predefined Cipher Alias 

To configure Ephemeral RSA by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
  2. In the SSL Parameters section, select Enable Ephemereal RSA, and specify a refresh count.