How to Change the Size of the NetScaler Certificate to More Than 1024 Bits

How to Change the Size of the NetScaler Certificate to More Than 1024 Bits

book

Article ID: CTX135480

calendar_today

Updated On:

Description

This article describes how to change the size of the default server certificate from 512 bits to more than 1024 bits on a NetScaler appliance.

Requirements

  • Secure Shell or console access to a NetScaler appliance.

Background

Microsoft has released Security Advisory 2661254 which can cause issues when accessing a NetScaler environment that can only be accessed with HTTPS. As per the Security Advisory 2661254, the ns-server-certificate must use a key that is more than 1024 bits. The size of the default certificate of the NetScaler appliance for internal management is 512 bits. This only affects environments completely managed through Internet Explorer.


Instructions

To change the size of the default server certificate from 512 bits to more than 1024 bits on a NetScaler appliance, complete the following procedure:

Note: If you are using the Graphical User Interface (GUI), then you must change the Secure Only flag on the NetScaler appliance to access the GUI over HTTP. However, you can also complete this procedure without changing the Secure Only flag using the Creating and Installing the New NetScaler Certificate Through the Command Line Interface section.

  1. Open the command line interface of the NetScaler appliance by using SSH or console access.

  2. Run the following command with the correct IP address and netmask information:
    set ns ip x.x.x.x -netmask 255.255.255.0 -gui ENABLED

  3. Refer to CTX129243 - How to Manually Create and Install Self-Signed Server and Root Certificate Authority Test Certificates Using a Public Key Size Greater than 512 Bits and create a self-signed certificate.

  4. Verify if the new certificate is synchronized with the secondary appliance.

  5. Expand the Load Balancing node in the Configuration utility of the NetScaler appliance.

  6. Select the Services node.

  7. Select the Internal Services tab.

  8. Change the internal services to have this new certificate using Load Balancing > Services > Internal Services.

    User-added image

  9. Double-click on Services.

  10. Select SSL Settings.

  11. Remove the ns-server-certificate, and add the new certificate.

    User-added image

Creating and Installing the New NetScaler Certificate Through the Command Line Interface

If you do not want to change the Secure Only flag on the NetScaler appliance, then create a new certificate and complete the preceding procedure from the command line interface of the appliance:

  1. Open the command line interface of the NetScaler appliance by using SSH or console access.

  2. Run the following commands to create a certificate:
    create ssl rsakey NS_rsa1.key 2048 -exponent F4 -keyform PEM
    create ssl certReq NS_csreq1 -keyFile NS_rsa1.key -keyform PEM -countryName US -stateName GA -organizationName Citrix
    create ssl cert new_ns_root.cer NS_csreq1 ROOT_CERT -keyFile NS_rsa1.key -keyform PEM -days 365 -certForm PEM -CAcertForm PEM -CAkeyForm PEM

    add ssl certKey New_NS_Root -cert new_ns_root.cer -key NS_rsa1.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO

    create ssl rsakey NS_rsa2.key 2048 -exponent F4 -keyform PEM
    create ssl certReq NS_csreq2 -keyFile NS_rsa2.key -keyform PEM -countryName US -stateName GA -organizationName Citrix
    create ssl cert new_ns_server.cer NS_csreq2 SRVR_CERT -keyform PEM -days 365 -certForm PEM -CAcert "/nsconfig/ssl/new_ns_root.cer" -CAcertForm PEM -CAkey "/nsconfig/ssl/NS_rsa1.key” -CAkeyForm PEM -CAserial "/nsconfig/ssl/ns-root.srl"

    add ssl certKey new-ns-server-certificate -cert new_ns_server.cer -key NS_rsa2.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO

    Note: The '-days' value above will set the effective life of the new certificates you create.

  3. Verify if the new certificate is synchronized with the secondary appliance.

  4. Run the following command to search for the services that the ns-server-certificate manages:
    show run | grep –i ns-server-certificate

    User-added image

  5. Run the following command to bind the new certificate to the internal SSL service:
    bind ssl service <internal_ssl_service_name> –certkeyName new-ns-server-certificate

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Issue/Introduction

This article describes how to change the size of the default server certificate from 512 bits to more than 1024 bits on a NetScaler appliance.

Additional Information

For more information on Microsoft Security Advisory 2661254 refer to the following links:
Microsoft Security Advisory 2661254
Microsoft Security Advisory: Update for minimum certificate key length