CTX122521
NetScaler
NetScaler 9_3
Installation/Upgrade
2015-11-10
2005-06-06
This article describes how to replace the default certificate (ns-server-certificate) of a NetScaler appliance with a trusted Certificate Authority (CA) certificate ...

Objective

This article describes how to replace the default certificate (ns-server-certificate) of a NetScaler appliance with a trusted Certificate Authority (CA) certificate that matches the hostname of the appliance.

Background

On a new NetScaler appliance shipped from Citrix, the default certificate-key pair ns-server-certificate is added to the appliance when it initializes. However, when you upgrade the software of the appliance, no default certificate-key pair is created. You must add the default certificate-key pair by running the following command from the command prompt of the appliance:
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key

After adding the certificate-key pair, it is automatically bound to the following internal services:

  • nskrpcs-127.0.0.1-3009

  • nshttps-127.0.0.1-443

  • nsrpcs-127.0.0.1-3008

The internal services can be viewed from the Configuration Utility. Navigate to Traffic Management > Load Balancing > Services and click Internal Services tab as shown in the following screen shot:

User-added image

The procedure discussed in this article assumes that you have prior knowledge of completing the following tasks:

  • Creating a Private Key

  • Creating a Certificate Signing Request

  • Obtaining a Certificate from a Certificate Authority

Refer to??CTX109260 - How to Generate and Install a Public SSL Certificate on a NetScaler Appliance for help on these tasks.


Instructions

To replace the default certificate of the NetScaler appliance with a trusted CA certificate that matches the hostname of the appliance, complete the following procedure:

  1. Run the following command from the command line interface to verify that the default certificate-key pair is added and bound to the internal services:
    > show run | grep ns-server-certificate

     add ssl certKey "ns-server-certificate" -cert "ns-server.cert" -key "ns-server.key" bind ssl service "nskrpcs-127.0.0.1-3009" -certkeyName "ns-server-certificate" bind ssl service "nshttps-127.0.0.1-443" -certkeyName "ns-server-certificate" bind ssl service "nsrpcs-127.0.0.1-3008" -certkeyName "ns-server-certificate"

    Internal services and their bindings can be verified from NetScaler GUI as well. Click a service and then click Edit as shown in the following screenshot:

    User-added image

    Go to the Certificates section at the bottom of the page.

    User-added image

    Expand Client Certificate option. You can see in this case that the ns-server-certificate is bound to nsrpcs-127.0.0.1-3008. Similarly verify the certificate bound to other internal services as well.

     User-added image 
  2. If the output of the preceding command does not display the default certificate, then run the following command to add the default certificate-key pair:
    add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key

    The default certificate-key pair can be added from NetScaler Configuration Utility as well. Navigate to Traffic Management > SSL > Certificates and click Install tab as highlighted in the following screen shot:

    User-added image

    Since the ns-server-certificate is not present on NetScaler, enter the Certificate-Key Pair Name as ns-server-certificate. Then choose ns-server.cert and ns-server.key from Browse Appliance option and click Install.

    User-added image

    User-added image

    Repeat Step 1 from Configuration Utility to verify if ns-server-certificate is bound to internal services.

  3. Run the following command to set the hostname of the NetScaler appliance:
    set ns hostName test.netscaler.com

  1. From the GUI of the NetScaler appliance, complete the following procedure to create a Certificate Signing Request (CSR):

    1. In the Navigation pane, go to Traffic Management and click the SSL node.

    2. In the SSL Certificates section, click the Create Certificate Request link.

      User-added image

    3. Ensure to provide values for all the required fields marked with an * and then click Create.
      The following screen shot displays the sample values for the required fields. Notice that the Common Name field has the hostname created in Step 3 as the value for the field.

      User-added image
  2. Submit the CSR file to a trusted CA. The CSR file you have created is available in the /nsconfig/ssl directory.

  3. After receiving the certificate from the trusted CA, copy the file to the /nsconfig/ssl directory.

  4. From the GUI of the NetScaler appliance, Navigate to Traffic Management > SSL and choose??ns-server-certificate.

  5. Click Update, as shown in the following screen shot:

    User-added image

  1. In the Certificate File Name field, choose??the certificate file that??you received from the CA. Use browse option to choose the file that you have received from CA after signing. Choose Browse > Local option if the file is saved on your workstation/local drive.

  2. In the Private Key File Name field, specify the default private key file name, ns-server.key.

  3. Select the No Domain Check option, as shown in the following screen shot:

    User-added image

  4. Click OK.

Notes:

  • The hostname of the appliance and the common name in the certificate should match.

  • You must install the CA root certificate as a trusted certificate on the client computer. To do so use mmc option available on Windows workstation. Click Start > Run and type mmc.

  • If the appliance is part of a high availability setup, then you must add the CA Root certificate as CA certificate to the internal services.


Applicable Products


 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.