Product Documentation

Displaying a Certificate Chain

Jun 18, 2014

A certificate contains the name of the issuing authority and the subject to whom the certificate is issued. To validate a certificate, you must look at the issuer of that certificate and confirm if you trust the issuer. If you do not trust the issuer, you must see who issued the issuer certificate. Go up the chain till you reach the root CA certificate or an issuer that you trust.

As part of the SSL handshake, when a client requests a certificate, the NetScaler appliance presents a certificate and the chain of issuer certificates that are present on the appliance. An administrator can view the certificate chain for the certificates present on the appliance and install any missing certificates.

To view the certificate chain for the certificates present on the appliance by using the command line

At the command prompt, type:

show ssl certchain <cert_name>

Examples

There are 3 certificates: c1, c2, and c3. Certificate c1 is signed by c2, c2 is signed by c3, and c3 is the root CA certificate. The following examples illustrate the output of the show ssl certchain c1 command in different scenarios.
  1. Scenario 1:
    • Certificate c2 is linked to c1, and c3 is linked to c2.
    • Certificate c3 is a root CA certificate.
    If you run the following command, the certificate links up to the root CA certificate are displayed.
    > show ssl certchain c1 
    Certificate chain details of certificate name c1 are: 
    1) Certificate name: c2               linked; not a root certificate          
    2) Certificate name: c3               linked; root certificate          
    Done
  2. Scenario 2:
    • Certificate c2 is linked to c1.
    • Certificate c2 is not a root CA certificate.
    If you run the following command, information that certificate c3 is a root CA certificate but is not linked to c2 is displayed.
    > show ssl certchain c1 
    Certificate chain  details of certificate name c1 are: 
    1) Certificate Name: c2               linked; not a root certificate           
    2) Certificate Name: c3               not linked; root certificate  
    Done
  3. Scenario 3:
    • Certificate c1, c2, and c3 are not linked but are present on the appliance.
    If you run the following command, information about all the certificates starting with the issuer of certificate c1 is displayed and it is specified that the certificates are not linked.
    > show ssl certchain c1 
    Certificate chain details of certificate name c1 are: 
    1) Certificate Name: c2               not linked; not a root certificate 
    2) Certificate Name: c3               not linked; root certificate  
    Done
  4. Scenario 4:
    • Certificate c2 is linked to c1.
    • Certificate c3 is not present on the appliance.
    If you run the following command, information about the certificate linked to c1 is displayed and you are prompted to add a certificate with the subject name specified in c2. In this case, the user is asked to add the root CA certificate c3.
    > show ssl certchain c1 
    Certificate chain details of certificate name c1 are: 
    1) Certificate Name: c2               linked; not a root certificate           
    2) Certificate Name: /C=IN/ST=ka/O=netscaler/CN=test   
       Action: Add a certificate with this subject name.  
    Done
  5. Scenario 5:
    • A certificate is not linked to certificate c1 and the issuer certificate of c1 is not present on the appliance.
    If you run the following command, you are prompted to add a certificate with the subject name in certificate c1.
    > sh ssl certchain c1 
    Certificate chain details of certificate name c1 are: 
    1) Certificate Name: /ST=KA/C=IN 
       Action: Add a certificate with this subject name.