This article describes how to create unique SSL certificates for NetScaler IP address (NSIP) when the appliances are in a high availability setup.

Background

Companies that require unique SSL certificates for NetScaler IP (NSIP) address when the appliances are part of a high availability setup and they need secure access can implement the following workaround. By default, when the Graphical User Interface (GUI) is setup for secure access, both appliances share the same ns-server-certificate certificate/key pair.

The Subject CN of that certificate will be the same because this certificate is automatically synchronized between the appliances. In some scenarios, it might be necessary or required to have different certificates for each appliance in a high availability setup. For example, the administrator might require to access one of the appliance using https://netscalerA.example.com and the other appliance using https://netscalerB.example.com.

Instructions

The workaround requires the administrator to create a new directory in the /nsconfig directory where you must save the new certificates. The new directory must be prevented from certificates to be overwritten during the file systems synchronization process. The next step is to create the individual certificates (netscalera.example.com and netscalerb.example.com) and place these certificates in the new directory.

Note: You can create these certificates from either FIPS keys or file system keys.

1. Run the following commands to create a directory in the /nsconfig directory:
   # cd /nsconfig
   # mkdir SSL_NOSYNC

2. Create unique server certificates from the NetScaler appliance by using a NetScaler key.
   You must create a certificate signing request for each NSIP in the high availability setup. For information on this process refer to CTX211878 - How Do I Set Up RSA Keys/Public SSL Certificate on NetScaler?

   Note: In CTX211878 - How Do I Set Up RSA Keys/Public SSL Certificate on NetScaler? article, the process for installing the certificates after signing with the CA is different. The new certificates should be placed in the /nsconfig/SSL_NOSYNC directory.

   NetScaler	Subject CN	Server Certificate Filename
   Primary	netscalerA.example.com	NetscalerA.cert
   Secondary	netscalerB.example.com	NetscalerB.cert

   The preceding table gives an example of certificate movement. The server certificate netscalerA.example.com with filename of NetscalerA.cert is copied to the Primary appliance directory /nsconfig/SSL_NOSYNC and the server certificate netscalerB.example.com with filename NetscalerB.cert is copied to the Secondary appliance directory /nsconfig/SSL_NOSYNC.

3. Ensure that the appropriate server certificate in the /nsconfig/SSL_NOSYNC directory corresponds to the correct appliance:
   For Primary Appliance:
   > shell 'ls -al /nsconfig/SSL_NOSYNC'
   -rw-r--r-- 1 root wheel 1970 Jan 7 11:32 NetscalerA.cert
   > shell 'openssl x509 -noout -text -in /nsconfig/SSL_NOSYNC/NetscalerA.cert | grep Subject:'
   Subject: C=US, ST=Florida, L=Fort, O=Citrix, CN=netscalerA.example.com

   For Secondary Appliance:
   > shell 'ls -al /nsconfig/SSL_NOSYNC'
   -rw-r--r-- 1 root wheel 1970 Jan 7 11:32 NetscalerA.cert
   > shell 'openssl x509 -noout -text -in /nsconfig/SSL_NOSYNC/NetscalerB.cert | grep Subject:'
   Subject: C=US, ST=Florida, L=Fort, O=Citrix, CN=netscalerB.example.com

4. Copy each certificate to a common name that is the same:
   From the Primary Appliance:
   > shell ‘cp /nsconfig/SSL_NOXYNC/NetscalerA.cert /nsconfig/SSL_NOSYNC/NSIP.cert’

   From the Secondary Appliance:
   > shell ‘cp /nsconfig/SSL_NOXYNC/NetscalerB.cert /nsconfig/SSL_NOSYNC/NSIP.cert’

   There are two server certificates with the same filename but with different Subject CNs.

5. Run the following command to add the Certificate key pair on the Primary appliance:
   Note: NetScaler appliance has a default or pre-installed server certificate used for ns-server-certificate which is by default bound to the internal services. If the ns-server-certificate is used for the new NSIP.cert, then these certificate takes effect after you run the following commands. If you need a new certificate key pair, go to Step 6.

   For Non-FIPS Appliance:
   > add ssl certKey ns-server-certificate -cert /nsconfig/SSL_NOSYNC/NSIP.cert -Key RSA.key

   For a FIPS Appliance:
   add ssl certKey ns-server-certificate -cert /nsconfig/SSL_NOSYNC/NSIP.cert -fipsKey RSA-FIPS.key

   Note: If the ns-server-certificate certificate key pair already exist, then you must first remove it before adding the new certificate or use the Certificate Update command.

6. If you use a certificate key pair name other than ns-server-certificate, then bind the name to the internal service.
   Refer to Knowledge Center article CTX111531 - How to Enable Secure Access to the GUI of the NetScaler Appliance by using the MIP or SNIP Address of the Appliance.

With the introduction of admin partitions in 11.0 firmware, adding certificate was only being allowed from /nsconfig/ssl directory. This has been fixed as a regression and the fix will be available in 11.0.65.x (bug id 0602631).