Symptoms
You cannot connect to the NetScaler GUI through SSL with Firefox.
-Or-
You receive an error message stating that the NetScaler certificate has an invalid or duplicate serial number.
Cause
The included, self-signed certificates in the NetScaler (ns-root.cert and ns-server.cert) have serial numbers zero and one (respectively). This can conflict with other certificates generated by the NetScaler, which also generates new self-signed certificates using a serial number of one.
While Internet Explorer produces an error or warning and continues to let the user access the resource using a NetScaler-generated certificate, Firefox displays an error and may prevent the user from connecting altogether.
An example of an error message is below:
"Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number."
Resolution
You must generate a new certificate from the NetScaler shell using the included OpenSSL tools. This method allows you to generate a certificate with the serial number of your choosing. Complete the following procedure:
1. Create a small configuration file for OpenSSL to use. Below is a sample, which you can copy and paste into a text editor and upload to your NetScaler. Be sure to save the file as nsopenssl.conf and save it in the /nsconfig/ssl directory for future use.
Sample nsopenssl.conf configuration file:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default = Ft. Lauderdale
organizationName = Organization Name (eg, company)
organizationName_default = Netscaler
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_default = Citrix.com
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = nsroot@nsroot.com
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
2. Now that the file is created and saved in the /nsconfig/ssl directory, connect to the NetScaler through Secure Shell (SSH) or the console and issue the shell command.
3. Issue the following command to change the directory into the working directory, /nsconfig/ssl, where all certificates are stored on the NetScaler:
root@ns# cd /nsconfig/ssl
4. Issue the following command:
root@ns# openssl genrsa -des3 -out my.key 1024
This creates the key you will use with your certificate and calls it my.key (you can change the name if you wish). The key length is 1024 bytes, but you can change this to suit your needs. Once you issue this command, OpenSSL prompts you to create a passphrase for the key. Enter your desired passphrase (you must remember this passphrase).
5. Issue the following command:
root@ns# openssl req -config nsopenssl.conf -new -x509 -days 1000 -key my.key -out my.cert -set_serial 12345
This creates the certificate (my.cert) using the key you just created and gives the certificate a validity of 1,000 days. This command also sets the certificates serial number to 12345 (which you may change as needed). You are prompted for the password for the key. You are also prompted for some information about the certificate (such as company name, and so on). This information is not required, and you may press the ENTER key to use the default values listed in brackets.
6. Import the certificate as usual in the NetScaler GUI. To import the certificate from the command line interface (CLI), see CTX108858 – How to Import Existing Certificates and Keys to a NetScaler Server.
More Information
For additional information on using OpenSSL, visit http://www.openssl.org.
