A CA whose certificate is present on the NetScaler appliance must issue the client certificate used for client authentication. You must bind this certificate to the NetScaler virtual server that will carry out client authentication.
You must bind the CA certificate to the SSL virtual server in such a way that the NetScaler can form a complete certificate chain when it verifies the client certificate. Otherwise, certificate chain formation fails and the client is denied access even if its certificate is valid.
You can bind CA certificates to the SSL virtual server in any order. The NetScaler forms the proper order during client certificate verification.
For example, if the client presents a certificate issued by CA_A, where CA_A is an intermediate CA whose certificate is issued by CA_B, whose certificate is in turn issued by a trusted root CA, Root_CA, a chain of certificates that contain all three of these certificates must be bound to the virtual server on the NetScaler.
For instructions on binding one or more certificates to the virtual server, see Binding the Certificate-key Pair to the SSL Based Virtual Server.
For instructions on creating a chain of certificates, see Creating a Chain of Certificates.