Create and Use SSL Certificates on a Citrix ADC Appliance
Perform the following steps to create a certificate and bind it to an SSL virtual server.
- Create a private key.
- Create a certificate signing request (CSR).
- Submit the CSR to a CA.
- Create a certificate-key pair.
- Bind the certificate-key pair to an SSL virtual server
The following diagram illustrates the end-to-end flow.
Create a private key
The private key is the most important part of a digital certificate. By definition, this key is not to be shared with anyone and should be kept securely on the Citrix ADC appliance. Any data encrypted with the public key can be decrypted only by using the private key.
The certificate that you receive from the CA is valid only with the private key that was used to create the CSR. The key is required for adding the certificate to the Citrix ADC appliance.
Important:
Be sure to limit access to your private key. Anyone who has access to your private key can decrypt your SSL data. Note:
The length of the SSL key name allowed includes the length of the absolute path name if the path is included in the key name.
Create an RSA private key by using the CLI
At the command prompt, type:
create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (DER | PEM )] [-des | -des3 | -aes256] {-password } [-pkcs8]
<!--NeedCopy-->
Example:
create rsakey RSA_Key 2048 -aes256 -password 123456 -pkcs8
<!--NeedCopy-->
Create an RSA private key by using the GUI
-
Navigate to Traffic Management > SSL.
-
In the SSL Keys group, select Create RSA Key.
-
Enter values for the following parameters and click Create.
- Key Filename - Name for and, optionally, path to the RSA key file. /nsconfig/ssl/ is the default path.
- Key Size - Size, in bits, of the RSA key. Can range from 512 bits to 4096 bits.
- Public Exponent Value - Public exponent for the RSA key. The exponent is part of the cipher algorithm and is required for creating the RSA key.
- Key Format - Format in which the RSA key file is stored on the appliance.
- PEM Encoding Algorithm - Encrypt the generated RSA key by using the AES 256, DES, or Triple-DES (DES3) algorithm.
- PEM Passphrase - Optionally enter a pass phrase for the key.
Create a certificate signing request
Use the private key to create a certificate signing request and submit to a CA.
Create a certificate signing request by using the CLI
At the command prompt, type:
create ssl certreq <reqFile> -keyFile <input_filename> | -fipsKeyName <string>) [-keyForm (DER | PEM) {-PEMPassPhrase }] -countryName <string> -stateName <string> -organizationName <string> -organizationUnitName <string> -localityName <string> -commonName <string> -emailAddress <string> {-challengePassword } -companyName <string> -digestMethod ( SHA1 | SHA256 )
<!--NeedCopy-->
Example:
create ssl certreq priv_csr_sha256 -keyfile priv_2048_2 -keyform PEM -countryName IN -stateName Karnataka -localityName Bangalore -organizationName Citrix -organizationUnitName NS -digestMethod SHA256
<!--NeedCopy-->
Create a certificate signing request by using the GUI
- Navigate to Traffic Management > SSL.
- In SSL Certificate, click Create Certificate Signing Request (CSR).
-
Enter values for the following parameters, and click Create.
-
Request Filename - Name for and, optionally, path to the certificate signing request (CSR). /nsconfig/ssl/ is the default path.
-
Key Filename - Name of and, optionally, path to the private key used to create the certificate signing request, which then becomes part of the certificate-key pair. The private key can be either an RSA or a DSA key. The key must be present in the appliance’s local storage. /nsconfig/ssl is the default path.
-
Common Name
-
Organization Name
-
State
-
Country
-
Submit the CSR to the Certificate Authority
Most certificate authorities (CA) accept certificate submissions by email. The CA returns a valid certificate to the email address from which you submit the CSR.
Add a certificate-key pair
Install the signed certificate received from the CA.
Note: Certificates and keys are stored in the /nsconfig/ssl directory by default. If your certificates or keys are stored in any other location, you must provide the absolute path to the files on the Citrix ADC appliance.
Add a certificate-key pair by using the CLI
add ssl certKey <certkeyName> -cert <string>[(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )] [<passplain>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]
show ssl certKey [<certkeyName>]
<!--NeedCopy-->
Example:
add ssl certKey rsa_certkeypair -cert server_cert.pem -key RSA_Key.pem -password ssl -expiryMonitor ENABLED -notificationPeriod 30
Done
<!--NeedCopy-->
Add a certificate-key pair by using the GUI
-
Navigate to Traffic Management > SSL > Certificates > Server.
-
Enter values for the following parameters and click Install.
-
Certificate-Key Pair Name - Name for the certificate and private-key pair.
-
Certificate File Name - Signed certificate received from the CA.
-
Key File Name - Name of and, optionally, path to the private-key file that is used to form the certificate-key pair.
-
Bind the certificate-key pair to an SSL virtual server
Important: Link any intermediate certificates to this certificate before binding the certificate to an SSL virtual server. For information about linking certificates, see Create a chain of certificates.
The certificate that is used for processing SSL transactions must be bound to the virtual server that receives the SSL data. If you have multiple virtual servers receiving SSL data, a valid certificate-key pair must be bound to each of them.
Bind an SSL certificate-key pair to a virtual server by using the CLI
At the command prompt, type the following commands to bind an SSL certificate-key pair to a virtual server and verify the configuration:
bind ssl vserver <vServerName> -certkeyName <certificate-KeyPairName> -CA -skipCAName
show ssl vserver <vServerName>
<!--NeedCopy-->
Example:
bind ssl vs vs1 -certkeyName cert2 -CA -skipCAName
Done
sh ssl vs vs1
Advanced SSL configuration for VServer vs1:
DH: DISABLED
Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: DISABLED
OCSP Stapling: DISABLED
HSTS: DISABLED
IncludeSubDomains: NO
HSTS Max-Age: 0
SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: DISABLED TLSv1.2: DISABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
ECC Curve: P_256, P_384, P_224, P_521
1) CertKey Name: cert1 CA Certificate OCSPCheck: Optional CA_Name Sent
2) CertKey Name: cert2 CA Certificate OCSPCheck: Optional CA_Name Skipped
1) Cipher Name: DEFAULT
Description: Default cipher list with encryption strength >= 128bit
Done
<!--NeedCopy-->
Bind an SSL certificate-key pair to a virtual server by using the GUI
-
Navigate to Traffic Management > Load Balancing > Virtual Servers and open an SSL virtual server. Click inside the Certificate section.
-
Click the arrow to select the certificate-key pair.
-
Select the certificate-key pair from the list.
-
Bind the certificate-key pair to the virtual server.
