Error: "Invalid Certificate" When Installing SSL Certificate on ADC Appliance

Error: "Invalid Certificate" When Installing SSL Certificate on ADC Appliance

book

Article ID: CTX137887

calendar_today

Updated On:

Description

When attempting to install an Secure Socket Layer (SSL) certificate on an ADC appliance, the process fails with error "invalid certificate".

Resolution

Hidden Control Characters in Certificate\Key File

You can use OpenSSL implementation of BSD Unix distribution on ADC to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the /nsconfig/ssl directory of the ADC appliance.
    The Certificate and Key files can also be uploaded to the ADC using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:
    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:
    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:
    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the ADC appliance by using the new exported version of the files. 

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 - How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Problem Cause

This issue is caused because of hidden space control characters within the certificate /key file

Issue/Introduction

When attempting to install an Secure Socket Layer (SSL) certificate on a NetScaler appliance, the process fails with error “invalid certificate”.

Additional Information

CTX109260 – How to Generate and Install a Public SSL Certificate on a NetScaler Appliance

CTX108858 – How to Import Existing Certificates and Keys to a NetScaler Server

The OpenSSL Project

CTX120668- How to export certificates used on NetScaler as PFX

Powered by Wolken Software