decrypt error (51) error is sent to user by NetScaler Gateway when user present clinet cert signed by RSA-PSS
Article ID: CTX214924
Updated On:
Description
Customer has client cert auth configured on NetScaler gateway, recently customer has changed the client certificates and bound all the require CA and intermediate CA to gateway VIP and installed the same on client PC.
With the new cert when user access gateway FQDN after submitting the cert getting an error "decrypt error (51)"
Resolution
Customer changed the signature algorithm to SHA256RSA to fix the issue
In the NetScaler Cert Request message it lists: MD5withRSA, SHA1withRSA, SHA256withRSA & SHA1withRSA
It does not list RSA-PSS so the NetScaler is not able to decrypt the cert when the client presents it.
The previous client certificates were using SHA1withRSA for signature hash algorithm.
- Based on the below documentation: http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-client-auth.html NetScaler does not support certificates signed with RSA-PSS
Problem Cause
The new client certificates are using a Signature Hash Algorithm RSA-PSS.In the NetScaler Cert Request message it lists: MD5withRSA, SHA1withRSA, SHA256withRSA & SHA1withRSA
It does not list RSA-PSS so the NetScaler is not able to decrypt the cert when the client presents it.
The previous client certificates were using SHA1withRSA for signature hash algorithm.
- Based on the below documentation: http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-client-auth.html NetScaler does not support certificates signed with RSA-PSS
Was this article helpful?
Yes
No
Powered by
