How does the NetScaler classify certificates as Server, Client, Root, Intermediate, or Unknown in 12.0 56.20?

When installing a certificate-key pair, NetScaler is able to determine which certificate type/s these certificates should be classified as. Any certificate (whether it be Server, Client, Root, or Intermediate) that is installed with a private key can be classified and bound to a virtual server or service as both a server and client certificate. This means that the NetScaler is now able to classify certificates as more than one type.

In addition, a new GUI enhancement allows users to see certificate-key pairs that could not be classified as Server, Client, Root, or Intermediate. These are classified as Unidentified in the CLI and can be seen in the Unknown Certificates bucket through the GUI. 

Following is the criteria for classifying certificate types:

Server Certificate

A certificate can be classified as a server certificate if one of the following conditions match:

• While adding the certificate “key” is also provided
• If ex_nscert extension has server cert flag (NS_SSL_SERVER) set.
• If XKU extension has server cert flag (XKU_SSL_SERVER) set.

Client Certificate

A certificate can be classified as a client certificate if one of the following conditions match:

• While adding the certificate “key” is also provided
• If ex_nscert extension has client cert flag (NS_SSL_CLIENT) set.
• If XKU extension has client cert flag (XKU_SSL_CLIENT) set.

Root CA

A certificate can be classified as a Root CA certificate if the following condition is true:

• Check_ca() returns true AND if Subject name is  same as issuer name.

Intermediate CA

A certificate can be an intermediate CA if the following condition is true:

• Check_ca() returns true AND subject name is not equal to issuer name.

Unidentified certificates

If none of the above conditions match, then we are unable to classify the certificate and thus the certificate falls into the unidentified category.