How to Create and Use Client Certificates on NetScaler Appliance with Firmware 10.0

How to Create and Use Client Certificates on NetScaler Appliance with Firmware 10.0

book

Article ID: CTX116431

calendar_today

Updated On:

Description

This article describes the procedure to create and use the Citrix NetScaler client certificates.

Requirements

  • NetScaler software release 10.0
  • NetScaler hardware appliance or a NetScaler VPX
  • A client workstation, such as Microsoft Windows XP SP2

Background

The NetScaler software consists of an SSL tools suite that enables you to generate private keys, certificate requests, and certificates. In addition, this suite can be used to create Certificate Authorities or use the pre-installed NetScaler Root Authority and create server certificates and client certificates. By default, the certificate and key files are stored in the /nsconfig/ssl directory.

The FreeBSD environment of the appliance also consists of a version of OpenSSL for advanced certificate and key administration.

The use of private certificates can cause third-party software/operating systems with built-in certificate stores to fail and operate as expected with known trusted root certificate authorities.

The Internet Explorer Web interface must do a callback over SSL to the Access Gateway Enterprise Edition VPN virtual servers in Smart Access Mode and if the NetScaler root CA is not installed in the system accounts trusted root CA store, the callback fails.

Warning!
  • The use of private certificates can cause third-party software/operating systems with built-in certificate stores to fail and operate as expected with known trusted root certificate authorities.

  • The Internet Explorer Web Interface must do a callback over SSL to the Access Gateway Enterprise Edition VPN virtual servers in Smart Access Mode and if the NetScaler root CA is not installed in the system accounts trusted root CA store, the callback fails.


Instructions

To create and use the Citrix NetScaler client certificates, complete the following procedures:

Adding a Certificate-Key Pair

To add the NS-Root-CA certificate-key pair on the NetScaler appliance, complete the following procedure:
  1. Expand the SSL node and select Certificates.

  2. Click Add. The Install Certificate dialog box is displayed.

  3. From File Location, select the Remote System option.

  4. For the Certificate Filename field, click Browse and select the appropriate certificate file name. For example, ns-root-cert.

  5. For the Key Filename field, click Browse and select the appropriate key file name. For example, ns-root-key.

  6. Accept the default options for the other fields, as shown in the following screen shot and click Install.

    User-added image

Binding a Certificate-Key Pair to a Virtual Server

To bind the NS-ROOT-CA certificate-key pair to a virtual server as a CA certificate and enforce client certificate authentication, complete the following procedure:
  1. Expand the Load Balancing, SSL Offload, or SSL VPN node to display the virtual server to which you want to bind the certificate-key pair.

  2. Click Virtual Servers.

  3. Open the virtual server to which you want to bind the certificate-key pair.

  4. Activate the Certificates tab, as displayed in the following screen shot:

    User-added image
  5. From the available list, select the certificate-key pair you have installed. For example, NS-ROOT-CA.

  6. Click Add as CA.

  7. In the Other Settings group, click SSL Parameters. The Configure SSL Params dialog box appears.

  8. In the Others group of the Configure SSL Params dialog box, select Client Authentication.

  9. From the Client Certificate list, select Mandatory, as shown in the following screen shot:

  10. Click OK.

This procedure ensures that the virtual server is ready to force client certificate authentication and check against the certificate you have bound to the virtual server.

Creating and Installing the Client Certificates

To create and install the client certificates by using the NetScaler CA tools and the root CA certificate you have created, complete the following procedure:
  1. Expand the SSL node.

  2. Click CA Tools.

  3. Click the Create RSA Key link. The Create RSA Key dialog box is displayed, as shown in the following screen shot. Specify the appropriate values for the various fields.
    Note: The screen shot displays the sample values for your reference.

    User-added image
  4. Click Create.

  5. Click the Create Certificate Request link. The Create Certificate Request dialog box is displayed. Specify appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure to select the PEM key format. This enables you to export the certificate request to a PKCS12 file.

    User-added image
  6. Click Create > Close.

  7. Click the Create Certificate link. The Create Certificate dialog box is displayed. Specify the appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure that you select the appropriate files you have created in the preceding steps.

    User-added image
  8. Click Create Close.

  9. From the Tools section, click the Export PKCS#12 link. The Export PKCS12 dialog box appears.

    User-added image
  10. In the Pkcs File Name field, type the name for the file you want to create in the /nsconfig/ssl directory.

  11. In the Certificate File Name and Key File Name fields, click Browse to locate and select the certificate RSA key files, respectively.

  12. Click OK Close.

  13. Verify that the file you have created is available on the local computer.

  14. From the Start menu of Microsoft Windows on the local computer, start the Microsoft Management Control.
    User-added image

  15. From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
    User-added image

  16. Click Add and select the Certificates snap-in.

    User-added image
  17. The Certificate snap-in wizard verifies the user managing certificates. Ensure that you select current user.

    User-added image
  18. When the snap-in starts, right-click Personal.

  19. From the All Actions menu, select Import.

  20. In the Certificate Import Wizard, click Next.

    User-added image
  21. Click Browse to locate and select the appropriate .pfx file and click Next.

    User-added image
  22. In the Password section, type the password you had used to create the pfx file and click Next.

    User-added image
  23. In the Certificate Store section, ensure that Personal is selected in Certificate store: field.

    User-added image
  24. Verify if the client certificate is added to MMC Certificates Snap-In under the Personal store.

    User-added image

When the user accesses the VIP of the SSL virtual server by using the Internet Explorer browser, the Choose a digital certificate dialog box is displayed. The dialog box lists the certificate you have created.
User-added image

 

Issue/Introduction

This article contains the procedures to create and use the Citrix NetScaler client certificates.

Additional Information

CTX214874 - How to Create and Use Client Certificates on NetScaler Appliance with Firmware 10.1 and Above​