When you install a certificate on the NetScaler appliance, the following error message appears:
"resource already exists"

Background

When you create certificates, each certificate must have a unique serial number. Additionally, the certificate has the following components that help identify a certificate:

• Subject: This is the common name to which the certificate is issued. The Subject is generally a domain name. This is a unique identifier to which the certificate is issued.

• Serial Number: This is a unique number for the certificate. This number is issued by a certification authority.

• Issuer unique identifier: This is a unique identification for the certificate issuing authority.

• Subject unique identification: This is the unique identification for the owner of the certificate.
  

   

You cannot install two certificates with the same serial number from the same certification authority.

To resolve this issue, you must install certificates with the unique serial number from the same certification authority. Each certification authority maintains a list of unique serial numbers for the certificates it has issued.

You might also receive this error if you have installed the same certificate twice and are now trying to update the certificate. To resolve this issue, restart the NetScaler, unbind the certificate from the resources that it is bound to, remove the certificate and then update and bind the certificate.

Problem Cause

Some of the certificates have the same serial number issued by the same certification authority.

Troubleshooting Methodology

In order to verify the certificate details, verify the output of the following commands for each certificate installed on the NetScaler appliance:

1. From the shell prompt, run the following command to display the information about the certification authority:
   openssl x509 -in /nsconfig/ssl/<cert_name>.crt -text -noout | grep Issuer

   The following is the sample output of the command:

   Example.site1.com.crt
   Issuer: C=US, ST=TX, L=Plano, O=Example Inc, OU=Engineering, CN=Example RSC Server Root 
   IN/emailAddress=examplerscrootin@example.com
   
   Example.site2.com.crt
   Issuer: C=US, ST=TX, L=Plano, O=Example Inc, OU=Engineering, CN=Example RSC Server Root
   CA/emailAddress=examplerscrootin@example.com

2. From the shell prompt, run the following command to display the information about the serial number of the certificate:
   openssl x509 -in /nsconfig/ssl/<cert_name>.crt -text -noout | grep Serial

   The following is the sample output of the command:

   Example.site1.com.crt
   Serial Number: 41 (0x29)
   
   Example.site2.com.crt
   Serial Number: 41 (0x29)
   
   Example.site1.com.crt
   Serial Number: 42 (0x2a) 

   After analyzing these outputs, you can conclude that some of the certificates has the same serial numbers issued by the same certification authority which is causing this issue.