How to Create and Use Client Certificates on NetScaler Appliance with Firmware 10.1 and Above

How to Create and Use Client Certificates on NetScaler Appliance with Firmware 10.1 and Above

book

Article ID: CTX214874

calendar_today

Updated On:

Description

This article describes the procedure to create and use the Citrix NetScaler client certificates.

Requirements

  • NetScaler software release 10.1 and above

  • NetScaler hardware appliance or a NetScaler VPX

  • A client workstation, such as Microsoft Windows XP SP2

Background

The NetScaler software consists of an SSL tools suite that enables you to generate private keys, certificate requests, and certificates. In addition, this suite can be used to create Certificate Authorities or use the pre-installed NetScaler Root Authority and create server certificates and client certificates. By default, the certificate and key files are stored in the /nsconfig/ssl directory.

The FreeBSD environment of the appliance also consists of a version of OpenSSL for advanced certificate and key administration.

The use of private certificates can cause third-party software/operating systems with built-in certificate stores to fail and operate as expected with known trusted root certificate authorities.

The Internet Explorer Web Interface must do a callback over SSL to NetScaler Gateway VPN virtual servers in Smart Access Mode and if the NetScaler root CA is not installed in the system accounts trusted root CA store, the callback fails.

Warning!

  • The use of private certificates can cause third-party software/operating systems with built-in certificate stores to fail and operate as expected with known trusted root certificate authorities.

  • The Internet Explorer Web Interface must do a callback over SSL to NetScaler Gateway VPN virtual servers in Smart Access Mode and if the NetScaler root CA is not installed in the system accounts trusted root CA store, the callback fails.

Instructions

To create and use the Citrix NetScaler client certificates, complete the following procedures:

Adding a Certificate-Key Pair

To add the NS-Root-CA certificate-key pair on the NetScaler appliance, complete the following procedure:

  1. Under Traffic Management, expand the SSL Tab and click Certificates.

  2. On the Certificates page click Install and you will see the Install Certificate page.

    User-added image                  

  3. While selecting the existing certificates click on the drop-down arrow besides the Browse button and select Appliance.  

    User-added image                                                                                                                                 

  4. Now select the appropriate certificates from your preferred location and click Install.       

    User-added image                                                                                                                                                                                                                            

Binding a Certificate-Key Pair to a Virtual Server

To bind the NS-ROOT-CA certificate-key pair to a virtual server as a CA certificate and enforce client certificate authentication, complete the following procedure:

  1. Under Traffic Management expand the Load Balancing Tab and select Virtual Servers.

  2. Click Add and fill in the IP, Port and Protocol details and click OK.

  3. Bind the services to this load balancing virtual server and click Continue.

  4. You will now see the Certificates option and you can add the certificates as CA and Server certificate.   

    User-added image                                     

  5. Click on each of the Certificates tab and bind the NS-Root-CA certificate.  

    User-added image

  6. After binding the certs click on OK and now you will see SSL Parameters options. Click on the Edit option. User-added image                                                                     

  7. Enable Client Authentication and select the Mandatory option from the drop down menu.Click Ok.        

    User-added image                                                                 

Creating and Installing the Client Certificates

To create and install the client certificates by using the NetScaler CA tools and the root CA certificate you have created, complete the following procedure:
  1. Expand SSL node and click on 'Create RSA Key'.
  2. The Create RSA Key dialog box is displayed, as shown in the following screen shot. Specify the appropriate values for the various fields.

    Note: The screen shot displays the sample values for your reference.                                                                                                                                                                                                                                                                                                                           User-added image

  3. Click Create.

  4. Click the Create Certificate Signing Request link. The Create Certificate Signing Request dialog box is displayed. Specify appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure to select the PEM key format. This enables you to export the certificate request to a PKCS12 file.        

    User-added image                                                                                                                                                                                                                         

  5. Click Create.

  6. Again in SSL page click on Certificate and open the Create Certificate page. Fill in appropriate details.      

    User-added image                                                                                                                                                                                                                                                          

  7. Click on 'Export PKCS12 file' on the SSL page. Fill in name of the pfx file that you want to export. Click OK.  

    User-added image                                                                                                                                                                                                                                                

  8. Verify if you find this cert on the local computer.
  9. From the Start menu of Microsoft Windows on the local computer, start the Microsoft Management Control.
    User-added image
  10. From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
    User-added image

  11. Click Add and select the Certificates snap-in.

    User-added image

  12. The Certificate snap-in wizard verifies the user managing certificates. Ensure that you select current user.

    User-added image

  13. When the snap-in starts, right-click Personal.

  14. From the All Actions menu, select Import.

  15. In the Certificate Import Wizard, click Next.

    User-added image

  16. Click Browse to locate and select the appropriate .pfx file and click Next.

    User-added image

  17. In the Password section, type the password you had used to create the pfx file and click Next.

    User-added image

  18. In the Certificate Store section, ensure that Personal is selected in Certificate store: field.

    User-added image

  19. Verify if the client certificate is added to MMC Certificates Snap-In under the Personal store.

    User-added image
  20. When the user accesses the VIP of the SSL virtual server by using the Internet Explorer browser, the Choose a digital certificate dialog box is displayed. The dialog box lists the certificate you have created.

    User-added image

User-added image

Issue/Introduction

This article describes the procedure to create and use the Citrix NetScaler client certificates.

Additional Information

CTX116431 - How to Create and Use Client Certificates on NetScaler Appliance with Firmware 10.0

Powered by Wolken Software