Product Documentation

Modifying and Monitoring Certificates and Keys

Mar 20, 2015

To avoid downtime when replacing a certificate-key pair, you can update an existing certificate. If you want to replace a certificate with a certificate that was issued to a different domain, you must disable domain checks before updating the certificate.

To receive notifications about certificates due to expire, you can enable the expiry monitor.

Updating an Existing Server Certificate

When you remove or unbind a certificate from a configured SSL virtual server, or an SSL service, the virtual server or service becomes inactive until a new valid certificate is bound to it. To avoid downtime, you can use the update feature to replace a certificate-key pair that is bound to an SSL virtual server or an SSL service, without first unbinding the existing certificate.

To update an existing certificate-key pair by using the command line interface

At the command prompt, type the following commands to update an existing certificate-key pair and verify the configuration:

  • update ssl certkey <certkeyName> -cert <string> -key <string>
  • show ssl certKey <certkeyName>

Example

 
> update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem 
       -key /nsconfig/ssl/pkey.pem 
  Done  
 
> show ssl certkey siteAcertkey 
Name: siteAcertkey       Status: Valid 
       Version: 3 
       Serial Number: 02 
       Signature Algorithm: md5WithRSAEncryption 
       Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech 
       Validity 
            Not Before: Nov 11 14:58:18 2001 GMT 
            Not After: Aug 7 14:58:18 2004 GMT 
       Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security 
       Public Key Algorithm: rsaEncryption 
       Public Key size: 2048  
  Done 

To update an existing certificate-key pair by using the configuration utility

Navigate to Traffic Management > SSL > Certificates, select a certificate, and click Update.

Disabling Domain Checks

When an SSL certificate is replaced on the NetScaler, the domain name mentioned on the new certificate should match the domain name of the certificate being replaced. For example, if you have a certificate issued to abc.com, and you are updating it with a certificate issued to def.com, the certificate update fails.

However, if you want the server that has been hosting a particular domain to now host a new domain, you can disable the domain check before updating its certificate.

To disable the domain check for a certificate by using the command line interface

At the command prompt, type the following commands to disable the domain check and verify the configuration:

  • update ssl certKey <certkeyName> -noDomainCheck
  • show ssl certKey <certkeyName>

Example

 
> update ssl certKey sv -noDomainCheck 
 Done 
> show ssl certkey sv 
	Name: sv 
	Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem 
	Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky 
	Format: PEM 
	Status: Valid,   Days to expiration:9349 
	Certificate Expiry Monitor: DISABLED 
 Done 

To disable the domain check for a certificate by using the configuration utility

  1. Navigate to Traffic Management > SSL > Certificates, select a certificate, and click Update.
  2. Select No Domain Check.

Enabling the Expiry Monitor

An SSL certificate is valid for a specific period of time. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. An expiry monitor configured on the NetScaler appliance creates entries in the appliance's syslog and nsaudit logs when a certificate configured on the appliance is due to expire.

If you want to create SNMP alerts for certificate expiration, you must configure them separately.

For information about monitoring on the NetScaler appliance, see .

To enable an expiry monitor for a certificate by using the command line interface

At the command prompt, type the following commands to enable an expiry monitor for a certificate and verify the configuration:

  • set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]
  • show ssl certKey <certkeyName>

Example

 
> set ssl certKey sv -expiryMonitor ENABLED –notificationPeriod 60 
  Done 
 
> show ssl certkey sv 
Name: sv 
	Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem 
	Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky 
	Format: PEM 
	Status: Valid,   Days to expiration:9349 
	Certificate Expiry Monitor: ENABLED 
	Expiry Notification period: 60 days 
  Done 

To enable an expiry monitor for a certificate by using the configuration utility

  1. Navigate to Traffic Management > SSL > Certificates, select a certificate, and click Update.
  2. Select Notify When Expires, and optionally specify a notification period.