Product Documentation

Adding a Group of SSL Certificates

Mar 22, 2012

If the server certificate is issued by an intermediate CA that is not recognized by standard web browsers as a trusted CA, the CA certificate(s) must be sent to the client with the server's own certificate. Otherwise, the browser terminates the SSL session because it fails to authenticate the server certificate.

There are two ways to add the server and intermediate certificates:

  • Create a certificate set that contains the chain of certificates.
  • Create a chain of certificates manually by adding and linking the certificates individually.

Adding and Linking a Certificate Set

Updated: 2014-06-17

Note: This feature is not supported on the NetScaler FIPS platform.

Instead of adding and linking individual certificates, you can now group a server certificate and up to nine intermediate certificates in a single file, and then specify the file's name when adding a certificate-key pair. Before you do so, make sure that the following prerequisites are met.

  • The certificates in the file are in the following order:
    • Server certificate (should be the first certificate in the file)
    • Optionally, a server key
    • Intermediate certificate 1 (ic1)
    • Intermediate certificate 2 (ic2)
    • Intermediate certificate 3 (ic3), and so on
      Note: Intermediate certificate files are created for each intermediate certificate with the name "<certificatebundlename>.pem_ic<n>" where n is between 1 and 9. For example, bundle.pem_ic1, where bundle is the name of the certificate set and ic1 is the first intermediate certificate in the set.
  • Bundle option is selected.
  • No more than nine intermediate certificates are present in the file.

The file is parsed and the server certificate, intermediate certificates, and server key (if present) are identified. First, the server certificate and key are added. Then, the intermediate certificates are added, in the order in which they were added to the file, and linked accordingly.

An error is reported if any of the following conditions exist:

  • A certificate file for one of the intermediate certificates already exists on the appliance.
  • The key is placed before the server certificate in the file.
  • An intermediate certificate is placed before the server certificate.
  • Intermediate certificates are not in placed in the file in the same order as they are created.
  • No certificates are present in the file.
  • A certificate is not in the proper PEM format.
  • The number of intermediate certificates in the file exceeds nine.

To add a certificate set by using the command line interface

At the command prompt, type the following commands to create a certificate set and verify the configuration:

  1. add ssl certKey <certkeyName> -cert <string> -key <string> -bundle (YES | NO)
  2. show ssl certKey
  3. show ssl certlink

Example

In the following example, the certificate set (bundle.pem) contains the following files:

  • server certificate (bundle) linked to bundle_ic1
  • First intermediate certificate (bundle_ic1) linked to bundle_ic2
  • Second intermediate certificate (bundle_ic2) linked to bundle_ic3
  • Third intermediate certificate (bundle_ic3)
 > add ssl certKey bundle -cert bundle.pem -key bundle.pem -bundle yes 
  
 > show ssl certkey 
 
 1) Name: bundle 
 Cert Path: /nsconfig/ssl/bundle.pem 
 Format: PEM 
 Status: Valid, Days to expiration:10415 
 Certificate Expiry Monitor: DISABLED 
 
 2) Name: bundle_ic1 
 Cert Path: /nsconfig/ssl/bundle.pem_ic1 
 Format: PEM 
 Status: Valid, Days to expiration:10415 
 Certificate Expiry Monitor: DISABLED 
 
 3) Name: bundle_ic2 
 Cert Path: /nsconfig/ssl/bundle.pem_ic2 
 Format: PEM 
 Status: Valid, Days to expiration:10415 
 Certificate Expiry Monitor: DISABLED 
 
 4) Name: bundle_ic3 
 Cert Path: /nsconfig/ssl/bundle.pem_ic3 
 Format: PEM 
 Status: Valid, Days to expiration:10415 
 Certificate Expiry Monitor: DISABLED 
 Done 
 
 > show ssl certlink 
 
 1) Cert Name: bundle CA Cert Name: bundle_ic1 
 2) Cert Name: bundle_ic1 CA Cert Name: bundle_ic2 
 3) Cert Name: bundle_ic2 CA Cert Name: bundle_ic3 
 Done

To add a certificate set by using the configuration utility

  1. Navigate to Traffic Management > SSL > Certificates.
  2. In the SSL Certificates pane, click Install.
  3. In the Install Certificate dialog box, type the details, such as the certificate and key file name, and then select Certificate Bundle.
  4. Click Install, and then click Close.

Creating a Chain of Certificates

Updated: 2013-08-20

Instead of using a set of certificates (a single file), you can create a chain of certificates. The chain links the server certificate to its issuer (the intermediate CA). For this approach to work, the intermediate CA certificate file must already be installed on the NetScaler appliance, and one of the certificates in the chain must be trusted by the client application. For example, link Cert-Intermediate-A to Cert-Intermediate-B, where Cert-Intermediate-B is linked to Cert-Intermediate-C, which is a certificate trusted by the client application.

Note: The NetScaler supports sending a maximum of 10 certificates in the chain of certificates sent to the client (one server certificate and nine CA certificates).

To create a certificate chain by using the command line interface

At the command prompt, type the following commands to create a certificate chain and verify the configuration. (Repeat the first command for each new link in the chain.)

  • link ssl certkey <certKeyName> <linkCertKeyName>
  • show ssl certlink

Example

 
> link ssl certkey siteAcertkey CAcertkey 
 Done 
 
> show ssl certlink 
 
linked certificate: 
       1) Cert Name: siteAcertkey CA Cert Name: CAcertkey 
 Done 

To create a certificate chain by using the configuration utility

  1. Navigate to Traffic Management > SSL > Certificates.
  2. Select a server certificate, and in the Action list, select Link, and specify a CA certificate name.