Case Study: Installing a Certificate on a NetScaler Appliance Displays a "resource already exists" Error Message

Problem Definition

When the customer tried to install the certificate to the NetScaler appliance, the following error message appeared:

"resource already exists"

Background

When you create certificates, each certificate must have a unique serial number. Additionally, the certificate has the following components that help identify a certificate:

Subject: this is the common name to which the certificate is issued. The Subject is generally a domain name. This is a unique identifier to which the certificate is issued.
Serial Number: this is a unique number for the certificate. This number is issued by a certification authority.
Issuer unique identifier: this is a unique identification for the certificate issuing authority.
Subject unique identification: this is the unique identification for the owner of the certificate.

A customer had created certificates and had an issue while adding them to the NetScaler appliance.

Environment

The customer had a pair of NetScaler appliances configured for high availability. Additionally, the SSL Offloading feature was enabled on the NetScaler appliance pair.

Troubleshooting Methodology

The Escalation engineers wanted to check the certificate details for the customer setup. They requested the customer to send the previously installed certificates or the output of the following commands for each certificate installed on the NetScaler appliance:

1. From the shell prompt, run the following command to display the information about the certification authority:

openssl x509 -in /nsconfig/ssl/<cert_name>.crt -text -noout | grep Issuer

The following is the sample output of the command:

Example.site1.com.crt

Issuer: C=US, ST=TX, L=Plano, O=Example Inc, OU=Engineering, CN=Example RSC Server Root IN/emailAddress=examplerscrootin@example.com

Example.site2.com.crt

Issuer: C=US, ST=TX, L=Plano, O=Example Inc, OU=Engineering, CN=Example RSC Server Root CA/emailAddress=examplerscrootin@example.com

2. From the shell prompt, run the following command to display the information about the serial number of the certificate:

openssl x509 -in /nsconfig/ssl/<cert_name>.crt -text -noout | grep Serial

The following is the sample output of the command:

Example.site1.com.crt

Serial Number: 41 (0x29)

Example.site2.com.crt

Serial Number: 41 (0x29)

Example.site1.com.crt

Serial Number: 42 (0x2a)

After analyzing these outputs, the Escalation engineers concluded that some of the certificates had the same serial numbers issued by the same certification authority.

Resolution

You cannot install two certificates with the same serial number from the same certification authority. To resolve this issue, you must install certificates with the unique serial numbers from the same certification authority. Each certification authority maintains a list of unique serial numbers for the certificates it has issued.