Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

ERROR: Invalid certificate

Document ID: CTX118115   /   Created On: Oct 6, 2008   /   Updated On: Oct 6, 2008
Average Rating: not yet rated

Symptoms

SSL certificates are installed on the appliance with either the graphical configuration utility or the command line:

add ssl certKey <certkeyName> -cert <certificateFileName> [(-key <keyFileName> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]

However, at times, certificates that appear to work on other platforms fail to install on the appliance, resulting in the following error message:

“ERROR: Invalid certificate”

Cause

If the certificate format choice is not the cause for the certificate import failure, then the cause of the issue may be extraneous whitespace (such as hidden control characters) in the certificate and or key file. This issue is common with Privacy Enhanced Mail (PEM) or Base64 certificate files and key files that have been handled on a Microsoft Windows computer before being used on the appliance.

Resolution

The BSD Unix distribution on the appliance contains a full implementation of OpenSSL. OpenSSL can be used to import the certificate and key files, and the exported result will be free of the control characters that are preventing successful installation of the certificate.

1. Use a Secure Copy program to copy the certificate and key files to the /nsconfig/ssl folder of the appliance.

2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to the BSD Unix shell.

3. Go to the /nsconfig/ssl folder:

cd /nsconfig/ssl

4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

openssl x509 -in <certificateFileName> -out <newCertificateFileName>

5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

openssl rsa -in <keyFileName> -out <newKeyFileName>

The certificate importation into the appliance should now be successful with the newly exported versions of the files.

More Information

CTX109260 – How to Install a Certificate on a NetScaler Device
CTX108858 – How to Import Existing Certificates and Keys to a NetScaler Server
CTX108877 – How to Correctly Configure SSL Certificates in High Availability Mode

The OpenSSL Project


This document applies to:

Search
Knowledge Center
Advanced Search
XenApp
XenApp Plugins (Clients)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
Browse and search our Beta library. Planning, installation, maintenance, and readme info merged into one collection.
©1999-2009 Citrix Systems, Inc. All rights reserved.