How to Replace the Default Certificate of a NetScaler Appliance with a Trusted CA Certificate that Matches the Hostname of NetScaler
Article ID: CTX122521
Updated On:
Description
This article describes how to replace the default certificate (ns-server-certificate) of a NetScaler appliance with a trusted Certificate Authority (CA) certificate that matches the hostname of the appliance.
Background
On a new NetScaler appliance shipped from Citrix, the default certificate-key pair ns-server-certificate is added to the appliance when it initializes. However, when you upgrade the software of the appliance, no default certificate-key pair is created. You must add the default certificate-key pair by running the following command from the command prompt of the appliance:
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
After adding the certificate-key pair, it is automatically bound to the following internal services:
-
nskrpcs-127.0.0.1-3009
-
nshttps-127.0.0.1-443
-
nsrpcs-127.0.0.1-3008
The internal services can be viewed from the Configuration Utility. Navigate to Traffic Management > Load Balancing > Services and click Internal Services tab as shown in the following screen shot:
The procedure discussed in this article assumes that you have prior knowledge of completing the following tasks:
-
Creating a Private Key
-
Creating a Certificate Signing Request
-
Obtaining a Certificate from a Certificate Authority
Refer to CTX109260 - How to Generate and Install a Public SSL Certificate on a NetScaler Appliance for help on these tasks.
Instructions
To replace the default certificate of the NetScaler appliance with a trusted CA certificate that matches the hostname of the appliance, complete the following procedure:
-
Run the following command from the command line interface to verify that the default certificate-key pair is added and bound to the internal services. This step is optional but useful to confirm what certificate is currently bound.
> show run | grep ns-server-certificateadd ssl certKey "ns-server-certificate" -cert "ns-server.cert" -key "ns-server.key" bind ssl service "nskrpcs-127.0.0.1-3009" -certkeyName "ns-server-certificate" bind ssl service "nshttps-127.0.0.1-443" -certkeyName "ns-server-certificate" bind ssl service "nsrpcs-127.0.0.1-3008" -certkeyName "ns-server-certificate"
Internal services and their bindings can be verified from NetScaler GUI as well. To check the same navigate to Traffic Management > Load Balancing > Services> Internal services, Click a service and then click Edit as shown in the following screenshot:
Go to the Certificates section at the bottom of the page.
Expand Client Certificate option. You can see in this case that the ns-server-certificate is bound to nsrpcs-127.0.0.1-3008. Similarly verify the certificate bound to other internal services as well.
-
If the output of the preceding command does not display the default certificate, then run the following command to add the default certificate-key pair:
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.keyThe default certificate-key pair can be added from NetScaler Configuration Utility as well. Navigate to Traffic Management > SSL > Certificates and click Install tab as highlighted in the following screen shot:
Since the ns-server-certificate is not present on NetScaler, enter the Certificate-Key Pair Name as ns-server-certificate. Then choose ns-server.cert and ns-server.key from Browse Appliance option and click Install.
Repeat Step 1 from Configuration Utility to verify if ns-server-certificate is bound to internal services.
-
Run the following command to set the hostname of the NetScaler appliance:
set ns hostName test.netscaler.com
-
From the GUI of the NetScaler appliance, complete the following procedure to create a Certificate Signing Request (CSR):
-
In the Navigation pane, go to Traffic Management and click the SSL node.
-
In the SSL Certificates section, click the Create Certificate Request link.
-
Ensure to provide values for all the required fields marked with an * and then click Create.
The following screen shot displays the sample values for the required fields. Notice that the Common Name field has the hostname created in Step 3 as the value for the field.
-
-
Submit the CSR file to a trusted CA. The CSR file you have created is available in the /nsconfig/ssl directory.
-
After receiving the certificate from the trusted CA, copy the file to the /nsconfig/ssl directory.
-
From the GUI of the NetScaler appliance, Navigate to Traffic Management > SSL and choose ns-server-certificate.
-
Click Update, as shown in the following screen shot:
-
In the Certificate File Name field, choose the certificate file that you received from the CA. Use browse option to choose the file that you have received from CA after signing. Choose Browse > Local option if the file is saved on your workstation/local drive.
-
In the Private Key File Name field, specify the default private key file name, ns-server.key.
-
Select the No Domain Check option, as shown in the following screen shot:
-
Click OK.
Notes:
The hostname of the appliance and the common name in the certificate should match.
You must install the CA root certificate as a trusted certificate on the client computer. To do so use mmc option available on Windows workstation. Click Start > Run and type mmc.
If the appliance is part of a high availability setup, then you must add the CA Root certificate as CA certificate to the internal services on both units.
Cipher customization :
Traffic Management => Load Balancing=>Services=>Internal Services.
Scroll down to the "Ciphers section" and add / remove as needed.
TLS / SSL version settings:
Traffic Management => Load Balancing=>Services=>Internal Services.
Scroll down to the "SSL Parameters" and make the required changes.
Issue/Introduction
Additional Information
