Product Documentation

SSL FAQs

Sep 01, 2016

Basic Questions

HTTPS access to the NetScaler configuration utility fails on a VPX instance. How do I gain access?

A certificate-key pair is required for HTTPS access to the NetScaler configuration utility. On a NetScaler ADC, a certificate-key pair is automatically bound to the internal services. On an MPX or SDX appliance, the default key size is 1024 bytes, and on a VPX instance, the default key size is 512 bytes. However, most browsers today do not accept a key that is less than 1024 bytes. As a result, HTTPS access to the VPX configuration utility is blocked.

Citrix recommends that you install a certificate-key pair of at least 1024 bytes and bind it to the internal service for HTTPS access to the configuration utility or update the ns-server-certificate to 1024 bytes. You can use HTTP access to the configuration utility or the NetScaler command line to install the certificate.

If I add a license to an MPX appliance, the certificate-key pair binding is lost. How do I resolve this problem?

If a license is not present on an MPX appliance when it starts, and you add a license later and restart the appliance, you might lose the certificate binding. You must reinstall the certificate and bind it to the internal service

Citrix recommends that you install an appropriate license before starting the appliance.

What are the various steps involved in setting up a secure channel for an SSL transaction?
Setting up a secure channel for an SSL transaction involves the following steps:
  1. The client sends an HTTPS request for a secure channel to the server.
  2. After selecting the protocol and cipher, the server sends its certificate to the client.
  3. The client checks the authenticity of the server certificate.
  4. If any of the checks fail, the client displays the corresponding feedback.
  5. If the checks pass or the client decides to continue even if a check fails, the client creates a temporary, disposable key called the pre-master secret and encrypts it by using the public key of the server certificate.
  6. The server, upon receiving the pre-master secret, decrypts it by using the server's private key and generates the session keys. The client also generates the session keys from the pre-master secret. Thus both client and server now have a common session key, which is used for encryption and decryption of application data.
I understand that SSL is a CPU-intensive process. What is the CPU cost associated with the SSL process?
The following two stages are associated with the SSL process:
  • The initial handshake and secure channel setup by using the public and private key technology.
  • Bulk data encryption by using the asymmetric key technology.
Both of the preceding stages can affect server performance, and they require intensive CPU processing for of the following reasons:
  1. The initial handshake involves public-private key cryptography, which is very CPU intensive because of large key sizes (1024bit, 2048bit, 4096bit).
  2. Encryption/decryption of data is also computationally expensive, depending on the amount of data that needs to be encrypted or decrypted.
What are the various entities of an SSL configuration?
An SSL configuration has the following entities:
  • Server certificate
  • Certificate Authority (CA) certificate
  • Cipher suite that specifies the protocols for the following tasks:
    • Initial key exchange
    • Server and client authentication
    • Bulk encryption algorithm
    • Message authentication
  • Client authentication
  • CRL
  • SSL Certificate Key Generation Tool that enables you to create the following files:
    • Certificate request
    • Self signed certificate
    • RSA and DSA keys
    • DH parameters
I want to use the SSL offloading feature of the Citrix NetScaler appliance. What are the various options for receiving an SSL certificate?
You must receive an SSL certificate before you can configure the SSL setup on the Citrix NetScaler appliance. You can use any of the following methods to receive an SSL certificate:
  • Request a certificate from an authorized CA.
  • Use the existing server certificate.
  • Create a certificate-key pair on the Citrix NetScaler appliance.
    Note: This is a test certificate signed by the test Root-CA generated by the NetScaler. Test certificates signed by this Root-CA are not accepted by browsers. The browser throws a warning message stating that the server's certificate cannot be authenticated.
  • For anything other than test purposes, you must provide a valid CA certificate and CA key to sign the server certificate.
What are the minimum requirements for an SSL setup?
The minimum requirements for configuring an SSL setup are as follows:
  • Obtain the certificates and keys.
  • Create a load balancing SSL virtual server.
  • Bind HTTP or SSL services to the SSL virtual server.
  • Bind certificate-key pair to the SSL virtual server.
What are the limits for the various components of SSL?
SSL components have the following limits:
  • Bit size of SSL certificates: 4096.
  • Number of SSL certificates: Depends on the available memory on the appliance.
  • Maximum linked intermediate CA SSL certificates: 9 per chain.
  • CRL revocations: Depends on the available memory on the appliance.
What are the various steps involved in the end-to-end data encryption on a Citrix NetScaler appliance?
The steps involved in the server-side encryption process on a Citrix NetScaler appliance are as follows:
  1. The client connects to the SSL VIP configured on the Citrix NetScaler appliance at the secure site.
  2. After receiving the secure request, the appliance decrypts the request, applies layer 4-7 content switching techniques and load balancing policies, and selects the best available backend Web server for the request.
  3. The Citrix NetScaler appliance creates an SSL session with the selected server.
  4. After establishing the SSL session, the appliance encrypts the client request and sends it to the Web server by using the secure SSL session.
  5. When the appliance receives the encrypted response from the server, it decrypts and re-encrypts the data, and sends the data to the client by using the client side SSL session.

The multiplexing technique of the Citrix NetScaler appliance enables the appliance to reuse SSL sessions that have been established with the Web servers. Therefore, the appliance avoids the CPU intensive key exchange, known as full handshake. This process reduces the overall number of SSL sessions on the server and maintains end-to-end security.

Certificates and Keys

Can I place the certificate and key files at any location? Is there any recommended location to store these files?
You can store the certificate and key files on the Citrix NetScaler appliance or a local computer. However, Citrix recommends that you store the certificate and key files in the /nsconfig/ssl directory of the Citrix NetScaler appliance. The /etc directory exists in the flash memory of the Citrix NetScaler appliance. This provides portability and facilitates backup and restoration of the certificate files on the appliance.
Note: Make sure that the certificate and the key files are stored in the same directory.
What is the maximum size of the certificate key supported on the Citrix NetScaler appliance?
A Citrix NetScaler appliance running a software release earlier than release 9.0 supports a maximum certificate key size of 2048 bits. Release 9.0 and later support a maximum certificate key size of 4096 bits. This limit is applicable to both RSA and DSA certificates.
An MPX appliance supports certificates from 512-bits up to the following sizes:
  • 4096-bit server certificate on the virtual server
  • 4096-bit client certificate on the service
  • 4096-bit CA certificate (includes intermediate and root certificates)
  • 4096-bit certificate on the back end server
  • 4096-bit client certificate (if client authentication is enabled on the virtual server)
A virtual appliance supports certificates from 512-bits up to the following sizes:
  • 4096-bit server certificate on the virtual server
  • 4096-bit client certificate on the service
  • 4096-bit CA certificate (includes intermediate and root certificates)
  • 2048-bit certificate on the back end server
  • 2048-bit client certificate (if client authentication is enabled on the virtual server)
What is the maximum size of the DH parameter supported on the Citrix NetScaler appliance?
The Citrix NetScaler appliance supports a DH parameter of maximum 2048 bits.
What is the maximum certificate-chain length, that is, the maximum number of certificates in a chain, supported on a Citrix NetScaler appliance?
A Citrix NetScaler appliance can send a maximum of 10 certificates in a chain when sending a server certificate message. A chain of the maximum length includes the server certificate and nine intermediate CA certificates.
What are the various certificate and key formats supported on the Citrix NetScaler appliance?
The Citrix NetScaler appliance supports the following certificate and key formats:
  • Privacy Enhanced Mail (PEM)
  • Distinguished Encoding Rule (DER)
Is there a limit for the number of certificates and keys that I can install on the Citrix NetScaler appliance?
No. The number of certificates and keys that can be installed is limited only by the available memory on the Citrix NetScaler appliance.
I have saved the certificate and key files on the local computer. I want to transfer these files to the Citrix NetScaler appliance by using the FTP protocol. Is there any preferred mode for transfering these files to the Citrix NetScaler appliance?
Yes. If using the FTP protocol, you should use binary mode to transfer the certificate and key files to the Citrix NetScaler appliance.
Note: By default, FTP is disabled. Citrix recommends using the SCP protocol for transferring certificate and key files. The configuration utility implicitly uses SCP to connect to the appliance.
What is the default directory path for the certificate and key?
The default directory path for the certificate and key is /nsconfig/ssl.
When adding a certificate and key pair, what happens if I do not specify an absolute path to the certificate and key files?
When adding a certificate and key pair, if you do not specify an absolute path to the certificate and key files, the Citrix NetScaler appliance searches the default directory, /nsconfig/ssl, for the specified files and attempts to load them to the kernel. For example, if the cert1024.pem and rsa1024.pem files are available in the /nsconfig/ssl directory of the appliance, both of the following commands are successful:

add ssl certKey cert1 -cert cert1204.pem -key rsa1024.pem

add ssl certKey cert1 -cert /nsconfig/ssl/cert1204.pem -key /nsconfig/ssl/rsa1024.pem

I have configured a high availability setup. I want to implement the SSL feature on the setup. How should I handle the certificate and key files in a high availability setup?
In a high availability setup, you must store the certificate and key files on both the primary and the secondary Citrix NetScaler appliance. The directory path for the certificate and key files must be the same on both appliances before you add an SSL certificate-key pair on the primary appliance.

Ciphers

What is a NULL-Cipher?
Ciphers with no encryption are known as NULL-Ciphers. For example, NULL-MD5 is a NULL-Cipher.
Are the NULL-Ciphers enabled by default for an SSL VIP or an SSL service?
No. NULL-Ciphers are not enabled by default for an SSL VIP or an SSL service.
What is the procedure to remove NULL-Ciphers?
To remove the NULL-Ciphers from an SSL VIP, run the following command:

bind ssl cipher <SSL_VIP> REM NULL

To remove the NULL-Ciphers from an SSL Service, run the following command:

bind ssl cipher <SSL_Service> REM NULL -service

What are the various cipher aliases supported on the Citrix NetScaler appliance?
The Citrix NetScaler appliance supports the following cipher aliases:
  1. Alias Name: ALL

    Description: All NetScaler-supported ciphers, excluding NULL ciphers

  2. Alias Name: DEFAULT

    Description: Default cipher list with encryption strength >= 128bit

  3. Alias Name: kRSA

    Description: Ciphers with RSA key exchange algorithm

  4. Alias Name: kEDH

    Description: Ciphers with Ephemeral-DH key exchange algorithm

  5. Alias Name: DH

    Description: Ciphers with DH key exchange algorithm

  6. Alias Name: EDH

    Description: Ciphers with DH key exchange algorithm and authentication algorithm

  7. Alias Name: aRSA

    Description: Ciphers with RSA authentication algorithm

  8. Alias Name: aDSS

    Description: Ciphers with DSS authentication algorithm

  9. Alias Name: aNULL

    Description: Ciphers with NULL authentication algorithm

  10. Alias Name: DSS

    Description: Ciphers with DSS authentication algorithm

  11. Alias Name: DES

    Description: Ciphers with DES encryption algorithm

  12. Alias Name: 3DES

    Description: Ciphers with 3DES encryption algorithm

  13. Alias Name: RC4

    Description: Ciphers with RC4 encryption algorithm

  14. Alias Name: RC2

    Description: Ciphers with RC2 encryption algorithm

  15. Alias Name: eNULL

    Description: Ciphers with NULL encryption algorithm

  16. Alias Name: MD5

    Description: Ciphers with MD5 message authentication code (MAC) algorithm

  17. Alias Name: SHA1

    Description: Ciphers with SHA-1 MAC algorithm

  18. Alias Name: SHA

    Description: Ciphers with SHA MAC algorithm

  19. Alias Name: NULL

    Description: Ciphers with NULL encryption algorithm

  20. Alias Name: RSA

    Description: Ciphers with RSA key exchange algorithm and authentication algorithm

  21. Alias Name: ADH

    Description: Ciphers with DH key exchange algorithm, and NULL authentication algorithm

  22. Alias Name: SSLv2

    Description: SSLv2 protocol ciphers

  23. Alias Name: SSLv3

    Description: SSLv3 protocol ciphers

  24. Alias Name: TLSv1

    Description: SSLv3/TLSv1 protocol ciphers

  25. Alias Name: TLSv1_ONLY

    Description: TLSv1 protocol ciphers

  26. Alias Name: EXP

    Description: Export ciphers

  27. Alias Name: EXPORT

    Description: Export ciphers

  28. Alias Name: EXPORT40

    Description: Export ciphers with 40-bit encryption

  29. Alias Name: EXPORT56

    Description: Export ciphers with 56-bit encryption

  30. Alias Name: LOW

    Description: Low strength ciphers (56-bit encryption)

  31. Alias Name: MEDIUM

    Description: Medium strength ciphers (128-bit encryption)

  32. Alias Name: HIGH

    Description: High strength ciphers (168-bit encryption)

  33. Alias Name: AES

    Description: AES ciphers

  34. Alias Name: FIPS

    Description: FIPS-approved ciphers

  35. Alias Name: ECDHE

    Description: Elliptic Curve Ephemeral DH Ciphers

What is the command to display all the predefined ciphers of the Citrix NetScaler appliance?
To display all the predefined ciphers of the Citrix NetScaler appliance, at the NetScaler command line, type:

show ssl cipher

What is the command to display the details of an individual cipher of the Citrix NetScaler appliance?
To display the details of an individual cipher of the Citrix NetScaler appliance, at the NetScaler command line, type:

show ssl cipher <Cipher_Name/Cipher_Alias_Name/Cipher_Group_Name>

Example:

 > show cipher SSL3-RC4-SHA 
 1) Cipher Name: SSL3-RC4-SHA 
 Description: SSLv3 Kx=RSA Au=RSA Enc=RC4(128) 
Mac=SHA1 
 Done
What is the significance of adding the predefined ciphers of the Citrix NetScaler appliance?
Adding the predefined ciphers of the Citrix NetScaler appliance causes the NULL-Ciphers to get added to an SSL VIP or an SSL service.

Certificates


Is the distinguished name in a client certificate available for the length of the user session?
Yes. You can access the distinguished name of the client certificate in subsequent requests during the length of the user session, that is even after the SSL handshake is complete and the certificate is not sent again by the browser. To do this, use a variable and an assignment as detailed in the following sample configuration:

Example:

add ns variable v2 -type "text(100)"
add ns assignment a1 -variable "$v2" -set       "CLIENT.SSL.CLIENT_CERT.SUBJECT.TYPECAST_NVLIST_T(\'=\',\'/\').VALUE(\"CN\")"

add rewrite action act1 insert_http_header subject "$v2"  // example: to insert the distinguished name in the header
add rewrite policy pol1 true a1
add rewrite policy pol2 true act1
bind rewrite global pol1 1 next -type RES_DEFAULT
bind rewrite global pol2 2 next -type RES_DEFAULT
set rewrite param -undefAction RESET
Why do I need to bind the server certificate?
Binding the server certificates is the basic requirement for enabling the SSL configuration to process SSL transactions.

To bind the server certificate to an SSL VIP, at the NetScaler command line, type:

bind ssl vserver <vServerName> -certkeyName <cert_name>

To bind the server certificate to an SSL service, at the NetScaler command line, type:

bind ssl service <serviceName> -certkeyName <cert_name>

How many certificates can I bind to an SSL VIP or an SSL service?
On a NetScaler virtual appliance, you can bind a maximum of two certificates to an SSL VIP or an SSL service, one each of type RSA and type DSA. On a NetScaler MPX or MPX-FIPS appliance, if SNI is enabled, you can bind multiple server certificates of type RSA. If SNI is disabled, you can bind a maximum of one certificate of type RSA.
Note: DSA certificates are not supported on MPX or MPX-FIPS platforms.
Does SNI support Subject Alternative Name (SAN) certificates?
No. On a NetScaler appliance, SNI is not supported with a SAN extension certificate.
What happens if I unbind or overwrite a server certificate?
When you unbind or overwrite a server certificate, all the connections and SSL sessions created by using the existing certificate are terminated. When you overwrite an existing certificate, the following message appears:

ERROR:

Warning: Current certificate replaces the previous binding.

How do I install an intermediate certificate on Citrix NetScaler and link to a server certificate?
See the article at http://support.citrix.com/article/ctx114146 for information about installing an intermediate certificate.
Why am I am getting a "resource already exists" error when I try to install a certificate on the Citrix NetScaler?
See the article at http://support.citrix.com/article/CTX117284 for instructions for resolving the "resource already exists" error.
I want to create a server certificate on a Citrix NetScaler appliance to test and evaluate the product. What is the procedure to create a server certificate?
Perform the following procedure to create a test certificate.
Note: A certificate created with this procedure cannot be used to authenticate all the users and browsers. After using the certificate for testing, you should obtain a server certificate signed by an authorized Root CA.
To create a self-signed server certificate:
  1. To create a Root CA certificate, at the NetScaler command line, type:

    create ssl rsakey /nsconfig/ssl/test-ca.key 1024

    create ssl certreq /nsconfig/ssl/test-ca.csr -keyfile /nsconfig/ssl/test-ca.key

    Enter the required information when prompted, and then type the following command:

    create ssl cert /nsconfig/ssl/test-ca.cer /nsconfig/ssl/test-ca.csr ROOT_CERT -keyfile /nsconfig/ssl/test-ca.key

  2. Perform the following procedure to create a server certificate and sign it with the root CA certificate that you just created
    1. To create the request and the key, at the NetScaler command line, type:

      create ssl rsakey /nsconfig/ssl/test-server.key 1024

      create ssl certreq /nsconfig/ssl/test-server.csr -keyfile /nsconfig/ssl/test-server.key

    2. Enter the required information when prompted.
    3. To create a serial-number file, at the NetScaler command line, type:
       shell 
       # echo '01' > 
      /nsconfig/ssl/serial.txt 
       # exit
      
  3. To create a server certificate signed by the root CA certificate created in step 1, at the NetScaler command line, type:

    create ssl cert /nsconfig/ssl/test-server.cer /nsconfig/ssl/test-server.csr SRVR_CERT -CAcert /nsconfig/ssl/test-ca.cer -CAkey /nsconfig/ssl/test-ca.key -CAserial /nsconfig/ssl/serial.txt

  4. To create a Citrix NetScaler certkey, which is the in-memory object that holds the server certificate information for SSL handshakes and bulk encryption, at the NetScaler command line, type:

    add ssl certkey test-certkey -cert /nsconfig/ssl/test-server.cer -key /nsconfig/ssl/test-server.key

  5. To bind the certkey object to the SSL virtual server, at the NetScaler command line, type:

    bind ssl vserver <vServerName> -certkeyName <cert_name>

I have received a Citrix NetScaler appliance on which Citrix NetScaler software release 9.0 is installed. I have noticed an additional license file on the appliance. Is there any change in the licensing policy starting with Citrix NetScaler software release 9.0?
Yes. Starting with Citrix NetScaler software release 9.0, the appliance might not have a single license file. The number of license files depends on the Citrix NetScaler software release edition. For example, if you have installed the Enterprise edition, you might need additional license files for the full functionality of the various features. However, if you have installed the Platinum edition, the appliance has only one license file.
How do I export the certificate from Internet Information Service (IIS)?
There are many ways to do this, but by using the following method the appropriate certificate and private key for the Web site are exported. This procedure must be performed on the actual IIS server.
  1. Open the Internet Information Services (IIS) Manager administration tool.
  2. Expand the Web Sites node and locate the SSL-enabled Web site that you want to serve through the Citrix NetScaler.
  3. Right-click this Web site and click Properties.
  4. Click the Directory Security tab and, in the Secure Communications section of the window, select the View Certificate box.
  5. Click the Details tab, and then click Copy to File.
  6. On the Welcome to the Certificate Export Wizard page, click Next.
  7. Select Yes, export the private key and click Next.
    Note: The private key MUST be exported for SSL Offload to work on the Citrix NetScaler
  8. Make sure that the Personal Information Exchange -PKCS #12 radio button is selected, and select only the Include all certificates in the certification path if possible check box. Click Next.
  9. Enter a password and click Next.
  10. Enter a file name and location, and then click Next. Give the file an extension of .PFX.
  11. Click Finish.
How do I convert the PKCS#12 certificate and install it on the Citrix NetScaler?
  1. Move the exported .PFX certificate file to a location from where it may be copied to the Citrix NetScaler (that is, to a machine that permits SSH access to the management interface of a Citrix NetScaler appliance). Copy the certificate to the appliance by using a secure copy utility such as SCP.
  2. Access the BSD shell and convert the certificate (for example, cert.PFX) to .PEM format:

    root@ns# openssl pkcs12 -in cert.PFX -out cert.PEM

  3. To make sure that the converted certificate is in correct x509 format, verify that the following command produces no error:

    root@ns# openssl x509 -in cert.PEM -text

  4. Verify that the certificate file contains a private key. Begin by issuing the following command:

    root@ns# cat cert.PEM

    Verify that the output file includes an RSA PRIVATE KEY section.

    -----BEGIN RSA PRIVATE KEY----- 
     Mkm^s9KMs9023pz/s... 
     -----END RSA PRIVATE KEY-----
    

    The following is another example of an RSA PRIVATE KEY section:

     Bag Attributes 
    1.3.6.1.4.1.311.17.2: <No Values> 
    localKeyID: 01 00 00 00 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic 
    Provider 
    friendlyName: 
    4b9cef4cc8c9b849ff5c662fd3e0ef7e_76267e3e-6183-4d45-886e-6e067297b38f 
     
    Key Attributes 
    X509v3 Key Usage: 10 
    -----BEGIN RSA PRIVATE KEY----- 
    Proc-Type: 4,ENCRYPTED 
    DEK-Info: DES-EDE3-CBC,43E7ACA5F4423968 
    pZJ2SfsSVqMbRRf6ug37Clua5gY0Wld4frPIxFXyJquUHr31dilW5ta3hbIaQ+Rg 
     
    ... (more random characters)  
    v8dMugeRplkaH2Uwt/mWBk4t71Yv7GeHmcmjafK8H8iW80ooPO3D/ENV8X4U/tlh 
     
    5eU6ky3WYZ1BTy6thxxLlwAullynVXZEflNLxq1oX+ZYl6djgjE3qg== 
    -----END RSA PRIVATE KEY-----
    

    The following is a SERVER CERTIFICATE section:

    Bag Attributes 
    localKeyID: 01 00 00 00 
    friendlyName: AG Certificate 
    subject=/C=AU/ST=NSW/L=Wanniassa/O=Dave Mother 
    Asiapacific/OU=Support/CN=davemother.food.lan 
    issuer=/DC=lan/DC=food/CN=hotdog 
    -----BEGIN CERTIFICATE----- 
    MIIFiTCCBHGgAwIBAgIKCGryDgAAAAAAHzANBgkqhkiG9w0BAQUFADA8MRMwEQYK 
     
    ... (more random characters) 5pLDWYVHhLkA1pSxvFjNJHRSIydWHc5ltGyKqIUcBezVaXyel94pNSUYx07NpPV/ 
     
    MY2ovQyQZM8gGe3+lGFum0VHbv/y/gB9HhFesog= 
    -----END CERTIFICATE-----
    

    The following is an INTERMEDIATE CA CERTIFICATE section:

    Bag Attributes: <Empty Attributes> 
    subject=/DC=lan/DC=food/CN=hotdog 
    issuer=/DC=lan/DC=food/CN=hotdog 
    -----BEGIN CERTIFICATE----- 
    MIIESDCCAzCgAwIBAgIQah20fCRYTY9LRXYMIRaKGjANBgkqhkiG9w0BAQUFADA8 
     
    ... (more random characters) Nt0nksawDnbKo86rQcNnY5xUs7c7pj2zxj/IOsgNHUp5W6dDI9pQoqFFaDk= 
     
    -----END CERTIFICATE-----
    

    Further Intermediate CA certificates may follow, depending on the certification path of the exported certificate.

  5. Open the .PEM file in a text editor
  6. Locate the first line of the .PEM file and the first instance of the following line, and copy those two lines and all the lines between them:

    -----END CERTIFICATE-----

    Note: Make sure that last copied line is the first -----END CERTIFICATE----- line in the .PEM file.
  7. Paste the copied lines into a new file. Call the new file something intuitive, such as cert-key.pem. This is the certificate-key pair for the server hosting the HTTPS service. This file should contain both the section labeled RSA PRIVATE KEY and the section labeled SERVER CERTIFICATE in the example above.
    Note: The certificate-key pair file contains the private key and must therefore be kept secure.
  8. Locate any subsequent sections beginning with -----BEGIN CERTIFICATE----- and ending with ---END CERTIFICATE-----, and copy each such section to a separate new file.

    These sections correspond to certificates of trusted CAs that have been included in the certification path. These sections should be copied and pasted into new individual files for these certificates. For example, the INTERMEDIATE CA CERTIFICATE section of the example above should be copied and pasted into a new file).

    For multiple intermediate CA certificates in the original file, create new files for each intermediate CA certificate in the order in which they appear in the file. Keep track (using appropriate filenames) of the order in which the certificates appear, as they need to be linked together in the correct order in a later step.

  9. Copy the certificate-key file (cert-key.pem) and any additional CA certificate files into the /nsconfig/ssl directory on the Citrix NetScaler.
  10. Exit the BSD shell and access the Citrix NetScaler prompt.
  11. Follow the steps in "Install the certificate-key files on the appliance" to install the key/certificate once uploaded on the device.
How do I convert the PKCS#7 certificate and install it on the NetScaler appliance?
You can use OpenSSL to convert a PKCS #7 Certificate to a format recognizable by the NetScaler appliance. The procedure is identical to the procedure for PKCS #12 certificates, except that you invoke OpenSSL with different parameters. The steps for converting PKCS #7 certificates are as follows:
  1. Copy the certificate to the appliance by using a secure copy utility, such as SCP.
  2. Convert the certificate (for example, cert.P7B ) to PEM format:

    > openssl pkcs7 -inform DER -in cert.p7b -print_certs -text -out cert.pem

  3. Follow steps 3 through 7 as described in the answer to Q32 for PKCS #12 certificates.
Note: Before loading the converted PKCS #7 certificate to the appliance, be sure to verify that it contains a private key, exactly as described in step 3 for the PKCS #12 procedure. PKCS #7 certificates, particularly those exported from IIS, do not typically contain a private key.
When I bind a cipher to a virtual server or service by using the bind cipher command, I see the error message "Command deprecated."

The command for binding a cipher to a virtual server or service has changed.

Use the bind ssl vserver <vsername> -ciphername <ciphername> command to bind an SSL cipher to an SSL virtual server.

Use the bind ssl service <serviceName> -ciphername <ciphername> command to bind an SSL cipher to an SSL service.

Note: New ciphers and cipher groups are added to the existing list and not replaced.
Why can't I create a new cipher group and bind ciphers to it by using the add cipher command?
The add cipher command functionality has changed in release 10. The command only creates a cipher group. To add ciphers to the group, use the bind cipher command.

OpenSSL

How do I install the OpenSSL toolkit?

See the article at http://support.citrix.com/article/ctx106627.

How do I use OpenSSL to convert certificates between PEM and DER?
To use OpenSSL, you must have a working installation of the OpenSSL software and be able to execute Openssl from the command line.

x509 certificates and RSA keys can be stored in a number of different formats.

Two common formats are DER (a binary format used primarily by Java and Macintosh platforms) and PEM (a base64 representation of DER with header and footer information, which is used primarily by UNIX and Linux platforms). There is also an obsolete NET (Netscape server) format that was used by earlier versions of IIS (up to and including 4.0) and various other less common formats that are not covered in this article.

A key and the corresponding certificate, as well as the root and any intermediate certificates, can also be stored in a single PKCS#12 (.P12, .PFX) file.

Procedure

Use the Openssl command to convert between formats as follows:
  1. To convert a certificate from PEM to DER:

    x509 -in input.crt -inform PEM -out output.crt -outform DER

  2. To convert a certificate from DER to PEM:

    x509 -in input.crt -inform DER -out output.crt -outform PEM

  3. To convert a key from PEM to DER:

    rsa -in input.key -inform PEM -out output.key -outform DER

  4. To convert a key from DER to PEM:

    rsa -in input.key -inform DER -out output.key -outform PEM

Note: If the key you are importing is encrypted with a supported symmetric cipher, you are prompted to enter the pass-phrase.
Note: To convert a key to or from the obsolete NET (Netscape server) format, substitute NET for PEM or DER as appropriate. The stored key is encrypted in a weak unsalted RC4 symmetric cipher, so a pass-phrase will be requested. A blank pass-phrase is acceptable.

System Limits

What are the important numbers to remember?
  1. Create Certificate Request:
    • Request File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • PEM Passphrase (For Encrypted Key): Maximum 31 characters
    • Common Name: Maximum 63 characters
    • City: Maximum 127 characters
    • Organization Name: Maximum 63 characters
    • State/Province Name: Maximum 63 characters
    • Email Address: Maximum 39 Characters
    • Organization Unit: Maximum 63 characters
    • Challenge Password: Maximum 20 characters
    • Company Name: Maximum 127 characters
  2. Create Certificate:
    • Certificate File Name: Maximum 63 characters
    • Certificate Request File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • PEM Passphrase: Maximum 31 characters
    • Validity Period: Maximum 3650 days
    • CA Certificate File Name: Maximum 63 characters
    • CA Key File Name: Maximum 63 characters
    • PEM Passphrase: Maximum 31 characters
    • CA Serial Number File: Maximum 63 characters
  3. Create and Install a Server Test Certificate:
    • Certificate File Name: Maximum 31 characters
    • Fully Qualified Domain Name: Maximum 63 characters
  4. Create Diffie-Hellman (DH) key:
    • DH Filename (with path): Maximum 63 characters
    • DH Parameter Size: Maximum 2048 bits
  5. Import PKCS12 key:
    • Output File Name: Maximum 63 characters
    • PKCS12 File Name: Maximum 63 characters
    • Import Password: Maximum 31 characters
    • PEM Passphrase: Maximum 31 characters
    • Verify PEM Passphrase: Maximum 31 characters
  6. Export PKCS12
    • PKCS12 File Name: Maximum 63 characters
    • Certificate File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • Export Password: Maximum 31 characters
    • PEM Passphrase: Maximum 31 characters
  7. CRL Management:
    • CA Certificate File Name: Maximum 63 characters
    • CA Key File Name: Maximum 63 characters
    • CA Key File Password: Maximum 31 characters
    • Index File Name: Maximum 63 characters
    • Certificate File Name: Maximum 63 characters
  8. Create RSA Key:
    • Key Filename: Maximum 63 characters
    • Key Size: Maximum 4096 bits
    • PEM Passphrase: Maximum 31 characters
    • Verify Passphrase: Maximum 31 characters
  9. Create DSA Key:
    • Key Filename: Maximum 63 characters
    • Key Size: Maximum 4096 bits
    • PEM Passphrase: Maximum 31 characters
    • Verify Passphrase: Maximum 31 characters
  10. Change advanced SSL settings:
    • Maximum CRL memory size: Maximum 1024 Mbytes
    • Encryption trigger timeout (10 mS ticks): Maximum 200
    • Encryption trigger packet count: Maximum 50
    • OCSP cache size: Maximum 512 Mbytes
  11. Install Certificate:
    • Certificate-Key pair Name: Maximum 31 characters
    • Certificate File Name: Maximum 63 characters
    • Private Key File Name: Maximum 63 characters
    • Password: Maximum 31 characters
    • Notification Period: Maximum 100
  12. Create Cipher Group:
    • Cipher Group Name: Maximum 39 characters
  13. Create CRL:
    • CRL Name: Maximum 31 characters
    • CRL File: Maximum 63 characters
    • URL: Maximum 127 characters
    • Base DN: Maximum 127 characters
    • Bind DN: Maximum 127 characters
    • Password: Maximum 31 characters
    • Day(s): Maximum 31
  14. Create SSL Policy:
    • Name: Maximum 127 characters
  15. Create SSL Action:
    • Name: Maximum 127 characters
  16. Create OCSP Responder:
    • Name: Maximum 32 characters
    • URL: Maximum 128 characters
    • Batching Depth: Maximum 8
    • Batching Delay: Maximum 10000
    • Produced At Time Skew: Maximum 86400
    • Request Time-out: Maximum120000
  17. Create Virtual Server:
    • Name: Maximum 127 characters
    • Redirect URL: Maximum 127 characters
    • Client Time-out: Maximum 31536000 secs
  18. Create Service:
    • Name: Maximum 127 characters
    • Idle Time-out (secs):

      Client: Maximum 31536000

      Server: Maximum 31536000

  19. Create Service Group:
    • Service Group Name: Maximum 127 characters
    • Server ID: Maximum 4294967295
    • Idle Time-out (secs):

      Client: Maximum value 31536000

      Server: Maximum 31536000

  20. Create Monitor:
    • Name: Maximum 31 characters
  21. Create Server:
    • Server Name: Maximum 127 characters
    • Domain Name: Maximum 255 characters
    • Resolve Retry: Maximum 20939 secs