Summary:
This article addresses frequently asked questions regarding the behavior of Zero Touch Certificate Management (ZTCM) in Citrix NetScaler, including how it handles certificate synchronization, SNI-based certificate selection, and coexistence with legacy configurations.
Zero Touch Certificate Management (ZTCM) simplifies SSL certificate deployment by automating synchronization between NetScaler Console (formerly ADM) and NetScaler ADC instances. It eliminates manual certificate bindings and dynamically manages certificate lifecycle operations such as install, bind, and delete through periodic polling.
During each polling interval (default: every 10 minutes), the NetScaler ADC instance compares its local certificate/key store (packet engine) against the Zero Touch Certificate Store in the NetScaler Console.
Any certificate or key present on the appliance but missing from the ZTCM repository will be automatically removed.
The SSL Certificate Dashboard is used for visibility and monitoring, but not as the source of truth for ZTCM operations.
NetScaler selects the appropriate certificate based on the SNI (Server Name Indication) provided in the client’s SSL Client Hello packet. A hashed lookup mechanism is used to efficiently retrieve the correct certificate from the ZTCM repository.
For clients that do not send SNI, there are two supported fallback options:
Manual Certificate Binding:
Manually binding a certificate to the SSL vServer bypasses ZTCM for that vServer. This is useful for legacy applications.
Note: ZTCM and legacy certificate bindings can coexist on the same appliance.
No, existing SSL traffic will not be interrupted as long as no new certificate is required.
However, if the appliance is rebooted while disconnected from the Console, it will lose its local ZTCM certificate store, and any dependent vServers may fail to serve traffic until resynchronization occurs.
When ZTCM is enabled, certificate bindings are dynamically managed by the NetScaler packet engine and not stored in the ns.conf
configuration file. This is expected behavior and reflects ZTCM’s design to centralize and automate certificate deployment.
No, ZTCM does not require enabling SNI in the SSL profile. The appliance will automatically evaluate the SNI in the client Hello message and use it for certificate selection.
Yes, ZTCM can be used for both frontend (client-facing) and backend (server-facing) SSL connections, making it suitable for end-to-end certificate management.
Best Practice: Avoid reusing the same certificate name when uploading an updated version of a certificate.
Using a unique name ensures the new certificate is correctly detected and avoids potential sync issues.
To check ZTCM status on a NetScaler ADC: show ssl zerotouch