The NetScaler Says a Certificate from VeriSign is Invalid. What do You do?

Q: The NetScaler says a certificate from VeriSign is invalid. What do you do?

A: The certificate is probably a chained certificate, which means it is actually two certificates bundled together. Some Web servers handle chained certificates properly, however the NetScaler needs to have the two certificates added separately, then a link cert must be performed.

If this is the case, when you double-click the certificate in Windows (this applies to Windows XP and earlier versions), it gives you an error saying the certificate cannot be used as a server certificate (you must save the certificate with the extension .cer so that Windows operating systems recognize it). In order to make use of this certificate, use the following procedure:

Upload the certificate to the NetScaler as normal.
From the shell, issue the following command:

openssl pkcs7 -in certificate.cer -print_certs

This generates a dump of the information contained in the certificate, including the two distinct certificates. The first one is most important and the second one needs to be chained to it to ensure compatibility.

The certificates begin with “-----BEGIN CERTIFICATE-----“ and end with “-----END CERTIFICATE-----“.

Note: Be sure when copying the information to a file to not include any extra spaces or lines before or after the header/footer shown above.