This article describes how to change the size of the default server certificate from 512 bits to more than 1024 bits on a NetScaler appliance.
Basic knowledge on creating self-signed certificates.
Note: Refer to CTX129243 – How to Manually Create and Install Self-Signed Server and Root Certificate Authority Test Certificates Using a Public Key Size Greater than 512 Bits for detailed instruction about creating and installing a self-signed certificate.
Secure Shell or console access to a NetScaler appliance.
Microsoft has released Security Advisory 2661254 which can cause issues when accessing a NetScaler environment that can only be accessed with HTTPS. As per the Security Advisory 2661254, the ns-server-certificate must use a key that is more than 1024 bits. The size of the default certificate of the NetScaler appliance for internal management is 512 bits. This only affects environments completely managed through Internet Explorer.
To change the size of the default server certificate from 512 bits to more than 1024 bits on a NetScaler appliance, complete the following procedure:
Note: If you are using the Graphical User Interface (GUI), then you must change the Secure Only flag on the NetScaler appliance to access the GUI over HTTP. However, you can also complete this procedure without changing the Secure Only flag using the Creating and Installing the New NetScaler Certificate Through the Command Line Interface section.
Open the command line interface of the NetScaler appliance by using SSH or console access.
Run the following command with the correct IP address and netmask information:
set ns ip x.x.x.x -netmask 255.255.255.0 -gui ENABLED
Refer to CTX129243 - How to Manually Create and Install Self-Signed Server and Root Certificate Authority Test Certificates Using a Public Key Size Greater than 512 Bits and create a self-signed certificate.
Verify if the new certificate is synchronized with the secondary appliance.
Expand the Load Balancing node in the Configuration utility of the NetScaler appliance.
Select the Services node.
Select the Internal Services tab.
Change the internal services to have this new certificate using Load Balancing > Services > Internal Services.
Double-click on Services.
Select SSL Settings.
Remove the ns-server-certificate, and add the new certificate.
If you do not want to change the Secure Only flag on the NetScaler appliance, then create a new certificate and complete the preceding procedure from the command line interface of the appliance:
Open the command line interface of the NetScaler appliance by using SSH or console access.
Run the following commands to create a certificate:
create ssl rsakey NS_rsa1.key 2048 -exponent F4 -keyform PEM
create ssl certReq NS_csreq1 -keyFile NS_rsa1.key -keyform PEM -countryName US -stateName GA -organizationName Citrix
create ssl cert new_ns_root.cer NS_csreq1 ROOT_CERT -keyFile NS_rsa1.key -keyform PEM -days 365 -certForm PEM -CAcertForm PEM -CAkeyForm PEM
create ssl rsakey NS_rsa2.key 2048 -exponent F4 -keyform PEM
create ssl certReq NS_csreq2 -keyFile NS_rsa2.key -keyform PEM -countryName US -stateName GA -organizationName Citrix
create ssl cert new_ns_server.cer NS_csreq2 SRVR_CERT -keyform PEM -days 365 -certForm PEM -CAcert "/nsconfig/ssl/new_ns_root.cer" -CAcertForm PEM -CAkey "/nsconfig/ssl/NS_rsa1.key” -CAkeyForm PEM -CAserial "/nsconfig/ssl/ns-root.srl"
add ssl certKey new-ns-server-certificate -cert new_ns_server.cer -key NS_rsa2.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
Note: The '-days' value above will set the effective life of the new certificates you create.
Verify if the new certificate is synchronized with the secondary appliance.
Run the following command to search for the services that the ns-server-certificate manages:
show run | grep –i ns-server-certificate
Run the following command to bind the new certificate to the internal SSL service:
bind ssl service <internal_ssl_service_name> –certkeyName new-ns-server-certificate
For more information on Microsoft Security Advisory 2661254 refer to the following links:
Microsoft Security Advisory 2661254
Microsoft Security Advisory: Update for minimum certificate key length