When you connect to the NetScaler appliance, any of the following issues is noticed:

• Cannot connect to the GUI of the NetScaler appliance through SSL by using the Firefox Web browser.
• An error message stating that the NetScaler certificate has an invalid or duplicate serial number is displayed.

Background

The self signed certificates, ns-root.cert and ns-server.cert, available in the NetScaler appliance have serial numbers 0 and 1, respectively. These serial numbers can conflict on the NetScaler appliance, when you create another self signed certificate that has serial number 1.

In such a situation, the Internet Explorer web browser displays an error or warning message and lets the user access the network resources by using the NetScaler-generated certificate. However, the Firefox web browser displays an error message and might even completely prevent the user from connecting to the web site.

The following screen shot displays a sample error message:

To resolve this issue, you must create another certificate from the shell prompt of the NetScaler appliance and use the OpenSSL utility available on the appliance for the same. This method enables you to create a certificate with the serial number of your choice.

To create a certificate by using the OpenSSL utility, complete the following procedure:

1. Log on to the NetScaler appliance by using an SSH utility.

2. Switch to the shell prompt of the appliance.

3. Change to the /nsconfig/ssl directory.

4. Create the nsopenssl.conf configuration file to use with the OpenSSL utility. The following are the sample entries that you can use to create the configuration file by using a text editor, such as the vi editor:
   [ req ]
   default_bits = 1024
   default_keyfile = privkey.pem
   distinguished_name = req_distinguished_name
   attributes = req_attributes
   [ req_distinguished_name ]
   countryName = Country Name (2 letter code)
   countryName_default = US
   countryName_min = 2
   countryName_max = 2
   stateOrProvinceName = State or Province Name (full name)
   stateOrProvinceName_default =
   localityName = Locality Name (eg, city)
   localityName_default = Ft. Lauderdale
   organizationName = Organization Name (eg, company)
   organizationName_default = Netscaler
   organizationalUnitName = Organizational Unit Name (eg, section)
   organizationalUnitName_default =
   commonName = Common Name (eg, YOUR name)
   commonName_default = Citrix.com
   commonName_max = 64
   emailAddress = Email Address
   emailAddress_max = 40
   emailAddress_default = nsroot@nsroot.com
   [ req_attributes ]
   challengePassword = A challenge password
   challengePassword_min = 4
   challengePassword_max = 20

5. Save and close the file.

6. Run the following command to create a key file:
   root@ns# openssl genrsa -des3 -out <Key_Name>.key 1024
   In the preceding command, 1024 is the size, in bytes, of the key. You can change this value to suite the requirements.

7. Enter the passphrase when the OpenSSL utility prompts to do so. Ensure that you remember this passphrase for a later use.

8. Run the following command to create a certificate file:
   root@ns# openssl req -config nsopenssl.conf -new -x509 -days <Number_of_Days> -key <Key_Name>.key -out <Certificate_Name>.cert -set_serial <Serial_Numebr>

9. When the OpenSSL utility prompts, enter the passphrase you had used to create the key file in Step 6 of this procedure.

10. When prompted, enter the required details for the certificate.

11. To accept the default values, press Enter.

12. From the web browser, log on to the GUI of the NetScaler appliance.

13. Import the certificate you created from the shell prompt to the NetScaler appliance. To import the certificate from the command line interface of the appliance, refer to the Knowledge Center article CTX108858 - How to Import Existing Certificates and Keys to a NetScaler Server.