After certificate updates or at random, the Java KeyStore might become corrupt or might be missing a certificate. Viewing the logs at /var/wi/tomcat/logs/localhost.date.log shows SSL trust errors.

Background

The Java KeyStore is a repository of security certificates, either authorization certificates or public key certificates used for SSL encryption. It is installed when Web Interface on NetScaler is installed.

When a new site is installed on Web Interface, by default the site is configured to trust SSL certificate.

The Trust SSL certificates option, after site creation copies the server certificate specified in the Access Gateway Vserver field and any certificates on the chain to the Java KeyStore. In the preceding example, a new Web Interface site is pointing to citrix.example.com. The following screen shot lists the certificate associated with that Access Gateway Enterprise Edition virtual server.

The certificate for example-systems is copied to the Java KeyStore, along with any certificates chained to that certificate. The following screen shot displays the master list of SSL certificates on the NetScaler appliance.

Click the example-systems. If you then click on the certificate links, the chained certificates appears.

To resolve this issue, complete the following procedure to import the certificate authority CA(s) into the Java trusted store manually:

1. Open the command line interface of the NetScaler appliance.

2. Run the following command to backup the existing KeyStore.
   root@netscaler10# cp /var/wi/java_home/jre/lib/security/cacerts/var/wi/java_home/lib/security/cacerts.bak

3. Using a secure file transfer utility such as WinSCP, copy the /netscaler/wi/export_cert.sh file to a local machine.

   

4. Open the export_cert.sh file on the local machine with notepad, and locate the variable STOREPASS=changeit.

   

5. Change the STOREPASS to a password based on your requirement.
   Note: The password must be more than six characters in length.

6. Copy the export_cert.sh from the local machine to the /var/wi directory on the NetScaler appliance.

   

7. Add the following line to the /nsconfig/rc.netscaler file, to make the change persistent after the appliance restarts each time:
   root@netscaler10# cp /var/wi/export_cert.sh /netscaler/wi/export_cert.sh
   Note: This does not mean that you have to restart the NetScaler. This step is to make sure that export_cert.sh file that you modified will persist even after the appliance reboots.

8. Run the following command to import the root CA into the Java KeyStore:
   root@netscaler10# /var/wi/java_home/bin/keytool -import -trustcacerts -file $CERTFILE -alias $CERTFILE -keystore /var/wi/java_home/jre/lib/security/cacerts

   For example if you have a root certificate named company.example-rootCA.cer then you must run the following command:
   root@netscaler10# /var/wi/java_home/bin/keytool -import -trustcacerts -file /nsconfig/ssl/company.example-rootCA.cer -alias company.example-rootCA -keystore /var/wi/java_home/jre/lib/security/cacerts
   Note: You should run this command for the intermediate and the root certificates.

9. Type the password for the Java KeyStore when prompted.
   The KeyStore displays the certificate information and prompts if it should trust the certificate:

   

10. Type yes and press Enter.
    A message, “Certificate was added to keystore” appears.

11. Repeat Steps 8 to 10 for the intermediate certificates.

Problem Cause

The Web Interface site creation tool copies the server certificate and all chain certificates to the Java KeyStore. In certain scenarios, such as updating the server certificate after the initial web site creation or a change in the root or intermediate certificate, the Java KeyStore might become out of synchronization and not trust the necessary certificates.

If the Java KeyStore does not trust the callback certificate from the Web Interface, the connection fails. In this scenario, you must update the Java KeyStore.