When we try to access 4096-bit encrypted websites using Secure Web set to 'Tunneled to Internal network' and 'Secure Browse' mode, the website does not launch.

 

For a Netscaler VPX appliance below version 12.0, a virtual appliance supports certificates from 512-bits up to the following sizes:

• 4096-bit server certificate on the virtual server
• 4096-bit client certificate on the service
• 4096-bit CA certificate (includes intermediate and root certificates)
• 2048 -bit certificate on the back end server
• 2048 -bit client certificate (if client authentication is enabled on the virtual server) 

We can access the website if the Network Access is set to 'Unrestricted' in the Secure Web MDX Policy.

We do not have this issue in the Netscaler MPX appliance. For further details, see the link here  https://support.citrix.com/article/CTX206268

Starting release 12.0, a NetScaler appliance supports all the signature_algorithms extensions. Hence the issue is resolved with an upgrade to Netscaler v12.0 and above for the VPX appliance. 
 

---

Problem Cause

The 4096-bit certificate is not supported on the backend server. Hence accessing websites with 4096-bit encryption certificate is not possible.

Citrix Documentation - Server Certificate Support Matrix on the NetScaler Appliance