Product Documentation

Adding a Group of SSL Certificates

Sep 01, 2016

If the server certificate is issued by an intermediate CA that is not recognized by standard web browsers as a trusted CA, the CA certificate(s) must be sent to the client with the server's own certificate. Otherwise, the browser terminates the SSL session because it fails to authenticate the server certificate.

There are two ways to add the server and intermediate certificates:

  • Create a certificate set that contains the chain of certificates.
  • Create a chain of certificates manually by adding and linking the certificates individually.

Adding and Linking a Certificate Set

Updated: 2014-06-17

Note: This feature is not supported on the NetScaler FIPS platform.

Instead of adding and linking individual certificates, you can now group a server certificate and up to nine intermediate certificates in a single file, and then specify the file's name when adding a certificate-key pair. Before you do so, make sure that the following prerequisites are met.

  • The certificates in the file are in the following order:
    • Server certificate (should be the first certificate in the file)
    • Optionally, a server key
    • Intermediate certificate 1 (ic1)
    • Intermediate certificate 2 (ic2)
    • Intermediate certificate 3 (ic3), and so on
      Note: Intermediate certificate files are created for each intermediate certificate with the name "<certificatebundlename>.pem_ic<n>" where n is between 1 and 9. For example, bundle.pem_ic1, where bundle is the name of the certificate set and ic1 is the first intermediate certificate in the set.
  • Bundle option is selected.
  • No more than nine intermediate certificates are present in the file.

The file is parsed and the server certificate, intermediate certificates, and server key (if present) are identified. First, the server certificate and key are added. Then, the intermediate certificates are added, in the order in which they were added to the file, and linked accordingly.

An error is reported if any of the following conditions exist:

  • A certificate file for one of the intermediate certificates already exists on the appliance.
  • The key is placed before the server certificate in the file.
  • An intermediate certificate is placed before the server certificate.
  • Intermediate certificates are not in placed in the file in the same order as they are created.
  • No certificates are present in the file.
  • A certificate is not in the proper PEM format.
  • The number of intermediate certificates in the file exceeds nine.

To add a certificate set by using the command line interface

At the command prompt, type the following commands to create a certificate set and verify the configuration:

  1. add ssl certKey <certkeyName> -cert <string> -key <string> -bundle (YES | NO)
  2. show ssl certKey
  3. show ssl certlink

Example

In the following example, the certificate set (bundle.pem) contains the following files:

  • server certificate (bundle) linked to bundle_ic1
  • First intermediate certificate (bundle_ic1) linked to bundle_ic2
  • Second intermediate certificate (bundle_ic2) linked to bundle_ic3
  • Third intermediate certificate (bundle_ic3)
 > add ssl certKey bundle -cert bundle.pem -key bundle.pem -bundle yes 
  

> sh ssl certkey

1)      Name: ns-server-certificate

        Cert Path: ns-server.cert

        Key Path: ns-server.key

        Format: PEM

        Status: Valid,   Days to expiration:5733

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Server Certificate

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=default OULLFT

        Validity

                Not Before: Apr 21 15:56:16 2016 GMT

                Not After : Mar  3 06:30:56 2032 GMT

        Subject:  C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=default OULLFT

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

2)      Name: servercert

        Cert Path: complete/server/server_rsa_1024.pem

        Key Path: complete/server/server_rsa_1024.ky

        Format: PEM

        Status: Valid,   Days to expiration:7150

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Server Certificate

        Version: 3

        Serial Number: 1F

        Signature Algorithm: sha1WithRSAEncryption

        Issuer:  C=IN,ST=KAR,O=Citrix R&D Pvt Ltd,CN=Citrix

        Validity

                Not Before: Sep  2 09:54:07 2008 GMT

                Not After : Jan 19 09:54:07 2036 GMT

        Subject:  C=IN,ST=KAR,O=Citrix Pvt Ltd,CN=Citrix

        Public Key Algorithm: rsaEncryption

        Public Key size: 1024

3)      Name: bundletest

        Cert Path: bundle9.pem

        Key Path: bundle9.pem

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Server Certificate

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA9

        Validity

                Not Before: Nov 28 06:43:11 2014 GMT

                Not After : Nov 25 06:43:11 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=Server9

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

4)      Name: bundletest_ic1

        Cert Path: bundle9.pem_ic1

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA8

        Validity

                Not Before: Nov 28 06:42:56 2014 GMT

                Not After : Nov 25 06:42:56 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA9

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

5)      Name: bundletest_ic2

        Cert Path: bundle9.pem_ic2

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA7

        Validity

                Not Before: Nov 28 06:42:55 2014 GMT

                Not After : Nov 25 06:42:55 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA8

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

6)      Name: bundletest_ic3

        Cert Path: bundle9.pem_ic3

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA6

        Validity

                Not Before: Nov 28 06:42:53 2014 GMT

                Not After : Nov 25 06:42:53 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA7

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

7)      Name: bundletest_ic4

        Cert Path: bundle9.pem_ic4

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA5

        Validity

                Not Before: Nov 28 06:42:51 2014 GMT

                Not After : Nov 25 06:42:51 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA6

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

8)      Name: bundletest_ic5

        Cert Path: bundle9.pem_ic5

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA4

        Validity

                Not Before: Nov 28 06:42:50 2014 GMT

                Not After : Nov 25 06:42:50 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA5

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

9)      Name: bundletest_ic6

        Cert Path: bundle9.pem_ic6

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA3

        Validity

                Not Before: Nov 28 06:42:48 2014 GMT

                Not After : Nov 25 06:42:48 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA4

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

10)     Name: bundletest_ic7

        Cert Path: bundle9.pem_ic7

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA2

        Validity

                Not Before: Nov 28 06:42:46 2014 GMT

                Not After : Nov 25 06:42:46 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA3

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

11)     Name: bundletest_ic8

        Cert Path: bundle9.pem_ic8

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=ICA1

        Validity

                Not Before: Nov 28 06:42:45 2014 GMT

                Not After : Nov 25 06:42:45 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA2

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

12)     Name: bundletest_ic9

        Cert Path: bundle9.pem_ic9

        Format: PEM

        Status: Valid,   Days to expiration:3078

        Certificate Expiry Monitor: ENABLED

        Expiry Notification period: 30 days

        Certificate Type: Intermediate CA

        Version: 3

        Serial Number: 01

        Signature Algorithm: sha256WithRSAEncryption

        Issuer:  C=IN,ST=ka,O=sslteam,CN=RootCA4096

        Validity

                Not Before: Nov 28 06:42:43 2014 GMT

                Not After : Nov 25 06:42:43 2024 GMT

        Subject:  C=IN,ST=ka,O=sslteam,CN=ICA1

        Public Key Algorithm: rsaEncryption

        Public Key size: 2048

Done

> sh ssl certlink

1)      Cert Name: bundletest    CA Cert Name: bundletest_ic1

2)      Cert Name: bundletest_ic1        CA Cert Name: bundletest_ic2

3)      Cert Name: bundletest_ic2        CA Cert Name: bundletest_ic3

4)      Cert Name: bundletest_ic3        CA Cert Name: bundletest_ic4

5)      Cert Name: bundletest_ic4        CA Cert Name: bundletest_ic5

6)      Cert Name: bundletest_ic5        CA Cert Name: bundletest_ic6

7)      Cert Name: bundletest_ic6        CA Cert Name: bundletest_ic7

8)      Cert Name: bundletest_ic7        CA Cert Name: bundletest_ic8

9)      Cert Name: bundletest_ic8        CA Cert Name: bundletest_ic9

Done

To add a certificate set by using the configuration utility

  1. Navigate to Traffic Management > SSL > Certificates.
  2. In the SSL Certificates pane, click Install.
  3. In the Install Certificate dialog box, type the details, such as the certificate and key file name, and then select Certificate Bundle.
  4. Click Install, and then click Close.

Creating a Chain of Certificates

Updated: 2013-08-20

Instead of using a set of certificates (a single file), you can create a chain of certificates. The chain links the server certificate to its issuer (the intermediate CA). For this approach to work, the intermediate CA certificate file must already be installed on the NetScaler appliance, and one of the certificates in the chain must be trusted by the client application. For example, link Cert-Intermediate-A to Cert-Intermediate-B, where Cert-Intermediate-B is linked to Cert-Intermediate-C, which is a certificate trusted by the client application.

Note: The NetScaler supports sending a maximum of 10 certificates in the chain of certificates sent to the client (one server certificate and nine CA certificates).

To create a certificate chain by using the command line interface

At the command prompt, type the following commands to create a certificate chain and verify the configuration. (Repeat the first command for each new link in the chain.)

  • link ssl certkey <certKeyName> <linkCertKeyName>
  • show ssl certlink

Example

 
> link ssl certkey siteAcertkey CAcertkey 
 Done 
 
> show ssl certlink 
 
linked certificate: 
       1) Cert Name: siteAcertkey CA Cert Name: CAcertkey 
 Done 

To create a certificate chain by using the configuration utility

  1. Navigate to Traffic Management > SSL > Certificates.
  2. Select a server certificate, and in the Action list, select Link, and specify a CA certificate name.