Securing Management IP and FQDN for High Availability Citrix ADCs with SAN Certificates

Ensuring the secure management of your Citrix Application Delivery Controllers (ADCs) in a High Availability (HA) setup is crucial for maintaining the integrity and confidentiality of your infrastructure. This article outlines the steps to secure both the management IP addresses and the Fully Qualified Domain Name (FQDN) of your HA ADCs using a Subject Alternative Name (SAN) certificate. This approach allows you to manage both ADC nodes securely using a single certificate, simplifying management and enhancing security.

The Need for SAN Certificates in HA ADC Deployments

In an HA configuration, you typically have two ADC nodes working in tandem. You might access the management interface of each node individually via their respective management IP addresses. Additionally, you likely have a single FQDN that resolves to the virtual IP address (VIP) for user access. To avoid browser warnings about certificate mismatches when accessing the management interfaces via their IP addresses or the FQDN, a SAN certificate is the ideal solution.

A SAN certificate allows you to include multiple domain names, IP addresses, or other identifiers within a single certificate. This means you can secure both the individual management IPs and the common FQDN of your HA pair with one certificate.

Instructions

Steps to Secure Management IP and FQDN using a SAN Certificate

Follow these steps to generate and install a SAN certificate for your HA Citrix ADC environment:

1. Create an RSA Key:

On one of your ADC nodes (you will later sync the configuration), generate an RSA private key. Use the following command in the Citrix ADC command-line interface (CLI):

create ssl key <keyName> -size <keySize>

• <keyName>: Choose a descriptive name for your key (e.g., ha_mgmt_san_key).
• <keySize>: Specify the key size (e.g., 2048). A key size of 2048 bits or higher is recommended for security.

Example:

create ssl key ha_mgmt_san_key -size 2048

2. Create a Certificate Signing Request (CSR) with SAN:

Next, create a Certificate Signing Request (CSR). This CSR will contain the information about your organization and the SAN entries for your management IPs and FQDN. Use the following command:

create ssl csr <csrName> -keyName <keyName> -countryName <countryCode> -stateOrProvinceName <state> -localityName <city> -organizationName <orgName> -commonName "*.<domain-name>" -subjectAltName "DNS:*.<domain-name>,IP:<primary-ip>,IP:<secondary-ip>"

• <csrName>: Choose a descriptive name for your CSR (e.g., ha_mgmt_san_csr).
• <keyName>: The name of the RSA key you created in the previous step (e.g., ha_mgmt_san_key).
• -countryName <countryCode>: Your country code (e.g., IN).
• -stateOrProvinceName <state>: Your state or province (e.g., Maharashtra).
• -localityName <city>: Your city
• -organizationName <orgName>: Your organization name.
• -commonName "*.<domain-name>": The common name should typically be a wildcard FQDN encompassing your domain (e.g., *.example.com).
• -subjectAltName "DNS:*.<domain-name>,IP:<primary-ip>,IP:<secondary-ip>": This is the crucial part for the SAN certificate.
  • DNS:*.<domain-name>: Include the wildcard DNS name again as a SAN entry.
  • IP:<primary-ip>: Replace <primary-ip> with the management IP address of your primary ADC node (e.g., IP:10.110.2.1).
  • IP:<secondary-ip>: Replace <secondary-ip> with the management IP address of your secondary ADC node (e.g., IP:10.110.2.2).

Example:

create ssl csr ha_mgmt_san_csr -keyName ha_mgmt_san_key -countryName IN -stateOrProvinceName Maharashtra -localityName Mumbai -organizationName "Your Company" -commonName "*.example.com" -subjectAltName "DNS:*.example.com,IP:10.110.2.1,IP:10.110.2.2"

3. Get the Certificate Signed by a Certificate Authority (CA):

Once the CSR is created, you need to submit it to a trusted Certificate Authority (CA) for signing. The CA will verify your organization's details and issue a signed certificate based on the information in the CSR.

4. Install the Certificate on Both ADC Nodes and Bind to Internal Service Port 443:

After receiving the signed certificate from the CA, you need to install it on both your primary and secondary ADC nodes.

On the Primary ADC:

• Install the Certificate: Use the following command to install the signed certificate:

  install ssl certFile <certFile> -certKeyFile <keyFile> -certFormat PEM
  

  • <certFile>: The path to the signed certificate file.
  • <keyFile>: The path to the private key file you created earlier.

  Example:

  install ssl certFile /nsconfig/ssl/ha_mgmt_san.crt -certKeyFile /nsconfig/ssl/ha_mgmt_san_key.pem -certFormat PEM
  

• Bind the Certificate to the Internal Service: Bind the newly installed certificate to the internal service on port 443. This secures the management interface.

  bind service InternalService -sslCertKeyName <certName> -port 443
  

  • <certName>: The name you gave to the installed certificate (e.g., ha_mgmt_san.crt).

  Example:

  bind service InternalService -sslCertKeyName ha_mgmt_san.crt -port 443
  

On the Secondary ADC:

To ensure both nodes have the same configuration, you can either:

• Sync the Configuration: If HA synchronization is properly configured, the certificate and binding from the primary node should automatically be synced to the secondary node.
• Manually Install and Bind: If synchronization is not enabled or you prefer manual steps, repeat the certificate installation and binding process (steps 4a and 4b) on the secondary ADC using the same certificate and key files (which you would need to copy to the secondary node).