- Enabling SSL Processing
- Configuring Services
- Configuring an SSL-Based Virtual Server
- Binding Services to the SSL-Based Virtual Server
- Adding or Updating a Certificate-Key Pair
- Binding the Certificate-Key Pair to the SSL-Based Virtual Server
- SSL Profiles
- Configuring an SSL Virtual Server for Secure Hosting of Multiple Sites
- Configuring a DTLS Virtual Server
- DTLS Profile
- Importing SSL Files from Remote Hosts
- SSL Profiles
- Enabling Stricter Control on Client Certificate Validation
- Graceful Cleanup of SSL Sessions
Adding or Updating a Certificate-Key Pair
Feb 16, 2016
For any SSL transaction, the server needs a valid certificate and the corresponding private and public key pair. The SSL data is encrypted with the server's public key, which is available through the server's certificate. Decryption requires the corresponding private key.
Because the NetScaler appliance offloads SSL transactions from the server, the server's certificate and private key must be present on the appliance, and the certificate must be paired with its corresponding private key. This certificate-key pair must then be bound to the virtual server that processes the SSL transactions.
Note: From release 11.0, the default certificate on a NetScaler appliance is 2048-bits. In earlier builds, the default certificate was 512-bits or 1024-bits. After upgrading to release 11.0, you must delete all your old certificate-key pairs starting with "ns-", and then restart the appliance to automatically generate a 2048-bit default certificate.
Both the certificate and the key must be in local storage on the NetScaler appliance before they can be added to the appliance. If your certificate or key file is not on the appliance, upload it to the appliance before you create the pair.
Important: Certificates and keys are stored in the /nsconfig/ssl directory by default. If your certificates or keys are stored in any other location, you must provide the absolute path to the files on the NetScaler appliance. The NetScaler FIPS appliances do not support external keys (non-FIPS keys). On a FIPS appliance, you cannot load keys from a local storage device such as a hard disk or flash memory. The FIPS keys must be present in the Hardware Security Module (HSM) of the appliance.
On a NetScaler MPX appliance and a NetScaler FIPS appliance, only RSA private keys are supported. On a VPX virtual appliance, both RSA and DSA private keys are supported. On an SDX appliance if SSL chips are assigned to an instance, then only RSA private keys are supported. However, if SSL chips are not assigned to an instance, then both RSA and DSA private keys are supported. In all the cases, you can bind a CA certificate with either RSA or DSA keys.
Set the notification period and enable the expiry monitor to issue a prompt before the certificate expires.
The NetScaler appliance supports the following input formats of the certificate and the private-key files:
- PEM - Privacy Enhanced Mail
- DER - Distinguished Encoding Rule
- PFX - Personal Information Exchange
Note: A certificate must be signed by using one of the following hash algorithms:
- MD5
- SHA-1
- SHA-224
- SHA-256
- SHA-384
- SHA-512
An MPX appliance supports certificates of 512 or more bits, up to the following sizes:
- 4096-bit server certificate on the virtual server
- 4096-bit client certificate on the service
- 4096-bit CA certificate (includes intermediate and root certificates)
- 4096-bit certificate on the back-end server
- 4096-bit client certificate (if client authentication is enabled on the virtual server)
A VPX virtual appliance supports certificates of 512 or more bits, up to the following sizes:
- 4096-bit server certificate on the virtual server
- 4096-bit client certificate on the service
- 4096-bit CA certificate (includes intermediate and root certificates)
- 2048-bit certificate on the back-end server
- 2048-bit client certificate (if client authentication is enabled on the virtual server)
注意
A NetScaler SDX appliance supports certificates of 512 or more bits. Each NetScaler VPX instance hosted on the appliance supports the certificate sizes listed above for a VPX virtual appliance. However, if an SSL chip is assigned to an instance, that instance supports the certificate sizes supported by an MPX appliance.
To add a certificate-key pair by using the command line interface
At the command prompt, type the following commands to add a certificate-key pair and verify the configuration:
-
add
ssl certKey <certkeyName> -cert
<string>[(-key <string> [-password]) |
-fipsKey <string>] [-inform ( DER |
PEM )] [<passplain>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]
-
show
ssl certKey [<certkeyName>]
Example
> add ssl certKey sslckey -cert server_cert.pem -key server_key.pem -password ssl -expiryMonitor ENABLED -notificationPeriod 30 Done Note: For FIPS appliances, replace -key with -fipskey > show ssl certKey sslckey Name: sslckey Status: Valid, Days to expiration:8418 Version: 3 Serial Number: 01 Signature Algorithm: md5WithRSAEncryption Issuer: C=US,ST=SJ,L=SJ,O=NS,OU=NSSSL,CN=www.root.com Validity Not Before: Jul 15 02:25:01 2005 GMT Not After : Nov 30 02:25:01 2032 GMT Subject: C=US,ST=SJ,L=SJ,O=NS,OU=NSSSL,CN=www.server.com Public Key Algorithm: rsaEncryption Public Key size: 2048 Done
To update or remove a certificate-key pair by using the command line interface
To modify the expiry monitor or notification period in a certificate-key pair, use the set ssl certkey command. To replace the certificate or key in a certificate-key pair, use the update ssl certkey command. The update ssl certkey command has an additional parameter for overriding the domain check. For both commands, enter the name of an existing certificate-key pair. To remove an SSL certificate-key pair, use the rm ssl certkey command, which accepts only the <certkeyName> argument.
To add or update a certificate-key pair by using the configuration utility
Navigate to , and configure a certificate-key pair.