Error: "Certificate with key size greater than RSA512 or DSA512 bits not supported" on NetScaler

book

Article ID: CTX125548

calendar_today

Updated On:

Description

When attempting to add a certificate with key size greater than 512 bits to a NetScaler appliance, the following error message is displayed:
"Certificate with key size greater than RSA512 or DSA512 bits not supported"

User-added image

Additionally, the following entry is also logged to the "ns.log" file:

Command "add ssl certKey <Key_Name> -cert "/nsconfig/ssl/<Certificate_File_Name>.cer" -key "/nsconfig/ssl/<Key_File_Name>.key" -inform PEM -expiryMonitor DISABLED" - Status "ERROR: Certificate with key size greater than RSA512 or DSA512 bits not supported"

Resolution

To resolve this issue, apply any or both of the following resolutions, as required:

Allocate or reallocate the correct license with correct Host ID/HostName to the NetScaler appliance. For assistance in allocating proper license, see CTX122426 - Citrix NetScaler VPX and CloudBridge VPX Licensing Guide and CTX121062 - How to License NetScaler Appliances Using Manage Licenses Tool.
Note: Perform a complete reboot instead of just a warm reboot of the appliance.
Verify whether the installed NetScaler version license is compatible. If not install the correct license on the appliance.

After applying the required resolution, the additional ciphers are available and you can add a certificate that has a key size greater than 512 bits. The NetScaler appliance supports certificates with key size 512, 1024, 2048, and 4096 bits.

Problem Cause

This is a typical node lock restriction issue on a NetScaler appliance on which a license is not applied or public NetScaler software release is not installed on the appliance.

When you run the following command from the command line interface, the limited number of ciphers are displayed:

> sh cipher
1)      Alias Name: EXP
        Description: Export ciphers
2)      Alias Name: EXPORT
        Description: Export ciphers
3)      Alias Name: EXPORT40
        Description: Export ciphers with 40bit encryption
4)      Alias Name: EXPORT56
        Description: Export ciphers with 56bit encryption

Issue/Introduction

When attempting to add a certificate with key size greater than 512 bits to a NetScaler appliance, the following error message is displayed: "Certificate with key size greater than RSA512 or DSA512 bits not supported"

Additional Information

CTX206268 - FAQ: Key Sizes/Certificates Supported by NetScaler

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"