NetScaler Console allows you to replace the default inbuilt database certificates with your own certificates from a trusted certificate authority. You can also configure your own cipher suites in the NetScaler Console database. This feature provides greater flexibility and security for your certificate management needs, and secures all communication between your HA nodes with trusted SSL certificates.

There are many Security checks where the existing 2K certificate needs to be replaced with 4K encrypted certificate.  

Normal working operation is not impacted with this change.  

---

Instructions

Below are the details of managing PostgreSQL self-signed certificate with custom certificate. 

Manage database custom certificates and ciphers in a high-availability deployment

This GUI option is now available only for Console HA. For Standalone we need to do some manual steps.

The below are the steps to manually change the certificate in a standalone NetScaler ADM –
First bring up ADM standalone VM, install custom certificates by executing the below

Go to ADM shell & execute the below commands –
mkdir -p /var/mps/pg_certs/cert_files/root/
mkdir -p /var/mps/pg_certs/cert_files/server/
mkdir -p /var/mps/pg_certs/cert_files/key/

#copy all 3 the required files in their respective folders –
#server certificate at /var/mps/pg_certs/cert_files/server/
#server key file at /var/mps/pg_certs/cert_files/key/
#root certificate at /var/mps/pg_certs/cert_files/root/

 

#delete the previous files from server
find /var/mps/pg_certs/server -mindepth 1 ! -name "root.crt" -exec rm -rf {} +

 

#copy the new files to the server
cp /var/mps/pg_certs/cert_files/server/<server_file_name> /var/mps/pg_certs/server/pg_server.crt
cp /var/mps/pg_certs/cert_files/key/<server_key_name> /var/mps/pg_certs/server/pg_server.key
chown mpspostgres:nobody /var/mps/pg_certs/server/pg_server.crt
chown mpspostgres:nobody /var/mps/pg_certs/server/pg_server.key
chmod 660 /var/mps/pg_certs/server/pg_server.crt
chmod 660 /var/mps/pg_certs/server/pg_server.key

 

#delete the previous files from the client directory
find /var/mps/pg_certs/client/masrepuser -mindepth 1 ! -name "pg_masrepuser.crt" ! -name
"pg_masrepuser.key" -exec rm -rf {} +
find /var/mps/pg_certs/client/pg_rewind -mindepth 1 ! -name "pg_pg_rewind.crt" ! -name "pg_pg_rewind.key" -
exec rm -rf {} +

 

#copy the new root certificate to the client
cp -f /var/mps/pg_certs/cert_files/root/$server_root_file /var/mps/pg_certs/client/masrepuser/root.crt
cp -f /var/mps/pg_certs/cert_files/root/$server_root_file /var/mps/pg_certs/client/pg_rewind/root.crt
chown mpspostgres:nobody /var/mps/pg_certs/client/masrepuser/root.crt
chown mpspostgres:nobody /var/mps/pg_certs/client/pg_rewind/root.crt
chmod 660 /var/mps/pg_certs/client/masrepuser/root.crt
chmod 660 /var/mps/pg_certs/client/pg_rewind/root.crt

 

#copy the files to /var/mps/db_pgsql/data/
cp -f /var/mps/pg_certs/server/pg_server.crt /var/mps/db_pgsql/data/server.crt
cp -f /var/mps/pg_certs/server/pg_server.key /var/mps/db_pgsql/data/server.key
chown mpspostgres:nobody /var/mps/db_pgsql/data/server.crt
chown mpspostgres:nobody /var/mps/db_pgsql/data/server.key
chmod 600 /var/mps/db_pgsql/data/server.crt
chmod 600 /var/mps/db_pgsql/data/server.key
mkdir -p /var/mps/db_pgsql/data/client
cp -R -f /var/mps/pg_certs/client /var/mps/db_pgsql/data/
chown -R mpspostgres:nobody /var/mps/db_pgsql/data/client
chmod 700 /var/mps/db_pgsql/data/client
chmod 600 /var/mps/db_pgsql/data/client/masrepuser/*key
chmod 600 /var/mps/db_pgsql/data/client/pg_rewind/*key
chmod 600 /var/mps/db_pgsql/data/client/masrepuser/root.crt
chmod 600 /var/mps/db_pgsql/data/client/pg_rewind/root.crt

 

#change permission for new files /var/mps/pg_certs/cert_files/

chmod 660 /var/mps/pg_certs/cert_files/root/<server_root_file>
chmod 660 /var/mps/pg_certs/cert_files/key/<server_key_file>
chmod 660 /var/mps/pg_certs/cert_files/server/<server_file_name>

 

#reload the PostgreSQL configuration without stopping and restarting the database
su -l mpspostgres -c /mps/scripts/pgsql/reloadpgsql.sh

 

Note:

If there are multiple chain certificates, you must combine them into a single file. Make sure that the order of concatenation is correct, with the intermediate certificates first, followed by the root certificate. This order is essential for the certificate chain to be recognized correctly.

For example, the following command appends the content of each certificate file (intermediate_certificate1.crt, intermediate_certificate2.crt, and root_certificate.crt) to the file named combined_certs.crt:

cat intermediate_certificate1.crt >> combined_certs.crt

cat intermediate_certificate2.crt >> combined_certs.crt

cat root_certificate.crt >> combined_certs.crt

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

Manage database custom certificates and ciphers in a high-availability deployment