Understanding Zero Touch Certificate Management (ZTCM) in Citrix NetScaler

Understanding Zero Touch Certificate Management (ZTCM) in Citrix NetScaler

book

Article ID: CTX693217

calendar_today

Updated On:

Description

Summary:
This article addresses frequently asked questions regarding the behavior of Zero Touch Certificate Management (ZTCM) in Citrix NetScaler, including how it handles certificate synchronization, SNI-based certificate selection, and coexistence with legacy configurations.


Instructions

Overview

Zero Touch Certificate Management (ZTCM) simplifies SSL certificate deployment by automating synchronization between NetScaler Console (formerly ADM) and NetScaler ADC instances. It eliminates manual certificate bindings and dynamically manages certificate lifecycle operations such as install, bind, and delete through periodic polling.

Frequently Asked Questions (FAQs)

1. Which repository is used during ZTCM polling to compare certificates?

During each polling interval (default: every 10 minutes), the NetScaler ADC instance compares its local certificate/key store (packet engine) against the Zero Touch Certificate Store in the NetScaler Console.

  • Any certificate or key present on the appliance but missing from the ZTCM repository will be automatically removed.

  • The SSL Certificate Dashboard is used for visibility and monitoring, but not as the source of truth for ZTCM operations.


2. How are certificates selected during the TLS handshake? What if the client does not send SNI?

NetScaler selects the appropriate certificate based on the SNI (Server Name Indication) provided in the client’s SSL Client Hello packet. A hashed lookup mechanism is used to efficiently retrieve the correct certificate from the ZTCM repository.

For clients that do not send SNI, there are two supported fallback options:

  • Manual Certificate Binding:
    Manually binding a certificate to the SSL vServer bypasses ZTCM for that vServer. This is useful for legacy applications.

Note: ZTCM and legacy certificate bindings can coexist on the same appliance.


3. Will losing connectivity to NetScaler Console impact SSL traffic if ZTCM is enabled?

  • No, existing SSL traffic will not be interrupted as long as no new certificate is required.

  • However, if the appliance is rebooted while disconnected from the Console, it will lose its local ZTCM certificate store, and any dependent vServers may fail to serve traffic until resynchronization occurs.


4. Why don’t I see SSL certificate bindings in the configuration file?

When ZTCM is enabled, certificate bindings are dynamically managed by the NetScaler packet engine and not stored in the ns.conf configuration file. This is expected behavior and reflects ZTCM’s design to centralize and automate certificate deployment.


5. Is it necessary to enable the SNI option in the SSL profile for ZTCM to work?

No, ZTCM does not require enabling SNI in the SSL profile. The appliance will automatically evaluate the SNI in the client Hello message and use it for certificate selection.


6. Does ZTCM support backend SSL connections?

Yes, ZTCM can be used for both frontend (client-facing) and backend (server-facing) SSL connections, making it suitable for end-to-end certificate management.


7. Can I reuse the same certificate name when updating a cert in ZTCM?

Best Practice: Avoid reusing the same certificate name when uploading an updated version of a certificate.

Using a unique name ensures the new certificate is correctly detected and avoids potential sync issues.


Verification Commands

To check ZTCM status on a NetScaler ADC: show ssl zerotouch

 

Additional Information