Connections through NetScaler 10.5 not working to Storefront server. In a trace we see the Client Hello from the NetScaler with 32 ciphers then immediately after, a RST from StoreFront server.

The certificate that the client is using is a 4 chained certificate:

Server Certificate
Signature algorithm sha256RSA
Public Key RSA (2048 Bits)

Intermediate Certificate
Signature Algorithm RSA384withRSAEncryption
Public Key 2048

Root Certificate
Signature Algorithm sha284RSA
Public Key RSA (4096 Bits)

The challenge is that NetScaler VPX does not support using 4096 sized keys on the back end. That last part is the key, because NetScaler supports 4096 keys everywhere else. For more information refer to - http://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/ns-ssl-wrapper-con-10/ns-ssl-config-ssloffloading-con/ns-ssl-add-certkey-tsk.html

---

Problem Cause

The challenge has been that even though we have received 4 different SSL certificates from being rekeyed, the root certificate was always configured as 4096. We need to get a new SSL certificate stipulating nothing higher than 2048-bit. The hardware devices do support 4096 on the back end servers, but unfortunately this is one of the limitations of the virtual NetScaler.

Connections through NetScaler 10.5 not working to Storefront server. In a trace we see the Client Hello from the NetScaler with 32 ciphers then immediately after, a RST from StoreFront server.