SSL FAQs

Basic questions

HTTPS access to the GUI fails on a VPX instance. How do I gain access?

A certificate-key pair is required for HTTPS access to the GUI. On a NetScaler appliance, a certificate-key pair is automatically bound to the internal services. On an MPX or SDX appliance, the default key size is 1024 bytes, and on a VPX instance, the default key size is 512 bytes. However, most browsers today do not accept a key that is less than 1024 bytes. As a result, HTTPS access to the VPX configuration utility is blocked.

Citrix recommends that you install a certificate-key pair of at least 1024 bytes and bind it to the internal service for HTTPS access to the configuration utility. Alternately, update the ns-server-certificate to 1024 bytes. You can use HTTP access to the configuration utility or the CLI to install the certificate.

If I add a license to an MPX appliance, the certificate-key pair binding is lost. How do I resolve this problem?

If a license is not present on an MPX appliance when it starts, and you add a license later and restart the appliance, you might lose the certificate binding. Reinstall the certificate and bind it to the internal service

Citrix recommends that you install an appropriate license before starting the appliance.

What are the various steps involved in setting up a secure channel for an SSL transaction?

Setting up a secure channel for an SSL transaction involves the following steps:

  1. The client sends an HTTPS request for a secure channel to the server.

  2. After selecting the protocol and cipher, the server sends its certificate to the client.

  3. The client checks the authenticity of the server certificate.

  4. If any of the checks fail, the client displays the corresponding feedback.

  5. If the checks pass or the client decides to continue even if a check fails, the client creates a temporary, disposable key. This key is called the pre-master secret and the client encrypts this key by using the public key of the server certificate.

  6. The server, upon receiving the pre-master secret, decrypts it by using the server’s private key and generates the session keys. The client also generates the session keys from the pre-master secret. Thus both client and server now have a common session key, which is used for encryption and decryption of application data.

I understand that SSL is a CPU-intensive process. What is the CPU cost associated with the SSL process?

The following two stages are associated with the SSL process:

  • The initial handshake and secure channel setup by using the public and private key technology.

  • Bulk data encryption by using the symmetric key technology.

Both of the preceding stages can affect server performance, and they require intensive CPU processing for of the following reasons:

  1. The initial handshake involves public-private key cryptography, which is very CPU intensive because of large key sizes (1024 bit, 2048 bit, 4096 bit).

  2. Encryption/decryption of data is also computationally expensive, depending on the amount of data that must be encrypted or decrypted.

What are the various entities of an SSL configuration?

An SSL configuration has the following entities:

  • Server certificate
  • Certificate Authority (CA) certificate
  • Cipher suite that specifies the protocols for the following tasks:
    • Initial key exchange
    • Server and client authentication
    • Bulk encryption algorithm
    • Message authentication
  • Client authentication
  • CRL
  • SSL Certificate Key Generation Tool that enables you to create the following files:
    • Certificate request
    • Self-signed certificate
    • RSA keys
    • DH parameters

I want to use the SSL offloading feature of the NetScaler appliance. What are the various options for receiving an SSL certificate?

You must receive an SSL certificate before you can configure the SSL setup on the NetScaler appliance. You can use any of the following methods to receive an SSL certificate:

  • Request a certificate from an authorized certificate authority (CA).

  • Use the existing server certificate.

  • Create a certificate-key pair on the NetScaler appliance.

Note: This certificate is a test certificate signed by the test Root-CA generated by the NetScaler appliance. Test certificates signed by the test Root-CA are not accepted by browsers. The browser throws a warning message stating that the server’s certificate cannot be authenticated.

  • For anything other than test purposes, you must provide a valid CA certificate and CA key to sign the server certificate.

What are the minimum requirements for an SSL setup?

The minimum requirements for configuring an SSL setup are as follows:

  • Obtain the certificates and keys.
  • Create a load balancing SSL virtual server.
  • Bind HTTP or SSL services to the SSL virtual server.
  • Bind a certificate-key pair to the SSL virtual server.

What are the limits for the various components of SSL?

SSL components have the following limits:

  • Bit size of SSL certificates: 4096.
  • Number of SSL certificates: Depends on the available memory on the appliance.
  • Maximum linked intermediate CA SSL certificates: 9 per chain.
  • CRL revocations: Depends on the available memory on the appliance.

What are the various steps involved in the end-to-end data encryption on a NetScaler appliance?

The steps involved in the server-side encryption process on a NetScaler appliance are as follows:

  1. The client connects to the SSL VIP configured on the NetScaler appliance at the secure site.

  2. After receiving the secure request, the appliance decrypts the request and applies layer 4–7 content switching techniques and load balancing policies. Then, it selects the best available back-end web server for the request.

  3. The NetScaler appliance creates an SSL session with the selected server.

  4. After establishing the SSL session, the appliance encrypts the client request and sends it to the Web server by using the secure SSL session.

  5. When the appliance receives the encrypted response from the server, it decrypts and re-encrypts the data. Then, it sends the data to the client by using the client side SSL session.

The multiplexing technique of the NetScaler appliance enables the appliance to reuse SSL sessions that have been established with the Web servers. Therefore, the appliance avoids the CPU intensive key exchange, known as full handshake. This process reduces the overall number of SSL sessions on the server and maintains end-to-end security.

Certificates and Keys

You can store the certificate and key files on the NetScaler appliance or a local computer. However, Citrix recommends that you store the certificate and key files in the /nsconfig/ssl directory of the NetScaler appliance. The /etc directory exists in the flash memory of the NetScaler appliance. This action provides portability and facilitates backup and restoration of the certificate files on the appliance.

Note: Make sure that the certificate and the key files are stored in the same directory.

What is the maximum size of the certificate key supported on the NetScaler appliance?

A NetScaler appliance running a software release earlier than release 9.0 supports a maximum certificate key size of 2048 bits. Release 9.0 and later support a maximum certificate key size of 4096 bits. This limit is applicable to RSA certificates.

An MPX appliance supports certificates from 512 bits up to the following sizes:

  • 4096-bit server certificate on the virtual server

  • 4096-bit client certificate on the service

  • 4096-bit CA certificate (includes intermediate and root certificates)

  • 4096-bit certificate on the back end server

  • 4096-bit client certificate (if client authentication is enabled on the virtual server)

A virtual appliance supports certificates from 512 bits up to the following sizes:

  • 4096-bit server certificate on the virtual server

  • 4096-bit client certificate on the service

  • 4096-bit CA certificate (includes intermediate and root certificates)

  • 4096-bit certificate on the back end server

  • 2048-bit client certificate (if client authentication is enabled on the virtual server)

What is the maximum size of the DH parameter supported on the NetScaler appliance?

The NetScaler appliance supports a DH parameter of maximum 2048. Starting from release 14.1-25.x, maximum limit is increased to 4096 bits.

Note:

For Cavium platforms, the maximum limit is 2048 bits.

What is the maximum certificate-chain length, that is, the maximum number of certificates in a chain, supported on a NetScaler appliance?

A NetScaler appliance can send a maximum of 10 certificates in a chain when sending a server certificate message. A chain of the maximum length includes the server certificate and nine intermediate CA certificates.

What are the various certificate and key formats supported on the NetScaler appliance?

The NetScaler appliance supports the following certificate and key formats:

  • Privacy Enhanced Mail (PEM)
  • Distinguished Encoding Rule (DER)

Is there a limit for the number of certificates and keys that I can install on the NetScaler appliance?

No. The number of certificates and keys that can be installed is limited only by the available memory on the NetScaler appliance.

I have saved the certificate and key files on the local computer. I want to transfer these files to the NetScaler appliance by using the FTP protocol. Is there any preferred mode for transferring these files to the NetScaler appliance?

Yes. If using the FTP protocol, you must use binary mode to transfer the certificate and key files to the NetScaler appliance.

Note: By default, FTP is disabled. Citrix recommends using the SCP protocol for transferring certificate and key files. The configuration utility implicitly uses SCP to connect to the appliance.

What is the default directory path for the certificate and key?

The default directory path for the certificate and key is ‘/nsconfig/ssl’.

When adding a certificate and key pair, what happens if I do not specify an absolute path to the certificate and key files?

When adding a certificate-key pair, specify an absolute path to the certificate and key files. If you do not specify, the ADC appliance searches the default directory for these files and attempts to load them to the kernel. The default directory is /nsconfig/ssl. For example, if the cert1024.pem and rsa1024.pem files are available in the /nsconfig/ssl directory of the appliance, both of the following commands are successful:

add ssl certKey cert1 -cert cert1204.pem -key rsa1024.pem
<!--NeedCopy-->
add ssl certKey cert1 -cert /nsconfig/ssl/cert1204.pem -key /nsconfig/ssl/rsa1024.pem
<!--NeedCopy-->

I have configured a high availability setup. I want to implement the SSL feature on the setup. How must I handle the certificate and key files in a high availability setup?

In a high availability setup, you must store the certificate and key files on both the primary and the secondary NetScaler appliance. The directory path for the certificate and key files must be the same on both appliances before you add an SSL certificate-key pair on the primary appliance.

nCipher nShield® HSM

When integrating with nCipher nShield® HSM, do we have to keep in mind any specific configuration when adding the NetScaler appliance to HA?

Configure the same nCipher devices on both the nodes in HA. nCipher configuration commands don’t synchronize in HA. For information about the prerequisites for nCipher nShield® HSM, see Prerequisites.

Do we have to individually integrate both the appliances with nCipher nShield® HSM and RFS? Do we need to complete this action before or after the HA setup?

You can complete the integration before or after the HA setup. If the integration is done after the HA setup, the keys imported on the primary node before configuring the secondary node are not synced to the secondary node. Therefore, Citrix recommends nCipher integration before the HA setup.

Do we need to import the key into both the primary and secondary NetScaler appliances, or are the keys synchronized from the primary node to the secondary node?

If nCipher is integrated on both devices before forming the HA, the keys are automatically synchronized from RFS in the process of integration.

Given that the HSM is not on the NetScaler appliance, but on nCipher, what happens to the keys and certificates when a node fails and is replaced?

If a node fails, you can synchronize the keys and certificates to the new node, by integrating nCipher on the new node. Then, run the following commands:

sync ha files ssl
force ha sync
<!--NeedCopy-->

The certificates are synchronized and added if the keys are synchronized in the process of integrating nCipher.

Ciphers

What is a NULL-Cipher?

Ciphers with no encryption are known as NULL-Ciphers. For example, NULL-MD5 is a NULL-Cipher.

Are the NULL-Ciphers enabled by default for an SSL VIP or an SSL service?

No. NULL-Ciphers are not enabled by default for an SSL VIP or an SSL service.

What is the procedure to remove NULL-Ciphers?

To remove the NULL-Ciphers from an SSL VIP, run the following command:

bind ssl cipher <SSL_VIP> REM NULL
<!--NeedCopy-->

To remove the NULL-Ciphers from an SSL Service, run the following command:

bind ssl cipher <SSL_Service> REM NULL -service
<!--NeedCopy-->

What are the various cipher aliases supported on the NetScaler appliance?

To list the cipher aliases supported on the appliance, at the command prompt, type:

sh cipher
<!--NeedCopy-->

What is the command to display all the predefined ciphers of the NetScaler appliance?

To display all the predefined ciphers of the NetScaler appliance, at the CLI, type:

show ssl cipher
<!--NeedCopy-->

What is the command to display the details of an individual cipher of the NetScaler appliance?

To display the details of an individual cipher of the NetScaler appliance, at the CLI, type:

show ssl cipher <Cipher_Name/Cipher_Alias_Name/Cipher_Group_Name>
<!--NeedCopy-->

Example:

show cipher SSL3-RC4-SHA
     1) Cipher Name: SSL3-RC4-SHA
     Description: SSLv3 Kx=RSA Au=RSA Enc=RC4(128)
    Mac=SHA1
     Done
<!--NeedCopy-->

What is the significance of adding the predefined ciphers of the NetScaler appliance?

Adding the predefined ciphers of the NetScaler appliance causes the NULL-Ciphers to get added to an SSL VIP or an SSL service.

Is it possible to change the cipher’s order without unbinding them from a cipher group on a NetScaler appliance?

Yes. It is possible to change the cipher’s order without unbinding the ciphers from a custom cipher group. However, you cannot change the priority in inbuilt cipher groups. To change the priority of a cipher bound to an SSL entity, first unbind the cipher from the virtual server, service, or service group.

Note: If the cipher group bound to an SSL entity is empty, the SSL handshake fails because there is no negotiated cipher. The cipher group must contain at least one cipher.

Is ECDSA supported on the NetScaler appliance?

ECDSA is supported on the following NetScaler platforms. For details of supported builds, see Table 1 and Table 2 in Ciphers available on the NetScaler appliances.

  • NetScaler MPX and SDX appliances with N3 chips
  • NetScaler MPX 5900/8900/15000/26000
  • NetScaler SDX 8900/15000
  • NetScaler VPX appliances

Does the NetScaler VPX appliance support AES-GCM/SHA2 ciphers on the front-end?

Yes, AES-GCM/SHA2 ciphers are supported on the NetScaler VPX appliance. For details about the supported builds, see Ciphers available on the NetScaler appliances.

Certificates

Is the distinguished name in a client certificate available for the length of the user session?

Yes. You can access the distinguished name of the client certificate in subsequent requests during the length of the user session. That is, even after the SSL handshake is complete and the certificate is not sent again by the browser. Use a variable and an assignment as detailed in the following sample configuration:

Example:

add ns variable v2 -type "text(100)"

add ns assignment a1 -variable "$v2" -set       "CLIENT.SSL.CLIENT_CERT.SUBJECT.TYPECAST_NVLIST_T('=','/').VALUE("CN")"

add rewrite action act1 insert_http_header subject "$v2"  // example: to insert the distinguished name in the header

add rewrite policy pol1 true a1

add rewrite policy pol2 true act1

bind rewrite global pol1 1 next -type RES_DEFAULT

bind rewrite global pol2 2 next -type RES_DEFAULT

set rewrite param -undefAction RESET
<!--NeedCopy-->

Why do I need to bind the server certificate?

Binding the server certificates is the basic requirement for enabling the SSL configuration to process SSL transactions.

To bind the server certificate to an SSL VIP, at the CLI, type:

bind ssl vserver <vServerName> -certkeyName <cert_name>
<!--NeedCopy-->

To bind the server certificate to an SSL service, at the CLI, type:

bind ssl service <serviceName> -certkeyName <cert_name>
<!--NeedCopy-->

How many certificates can I bind to an SSL VIP or an SSL service?

On a NetScaler VPX, MPX/SDX (N3), and MPX/SDX 14000 FIPS appliance, you can bind two certificates to an SSL virtual server or an SSL service if SNI is disabled. The certificates must be one each of type RSA and ECDSA. If SNI is enabled, you can bind multiple server certificates of type RSA or ECDSA. On a NetScaler MPX (N2) or MPX 9700 FIPS appliance, if SNI is disabled, you can bind only one certificate of type RSA. If SNI is enabled, you can bind multiple server certificates of type RSA only.

What happens if I unbind or overwrite a server certificate?

When you unbind or overwrite a server certificate, all the connections and SSL sessions created by using the existing certificate are terminated. When you overwrite an existing certificate, the following message appears:

ERROR:

Warning: Current certificate replaces the previous binding.
<!--NeedCopy-->

See the article at http://support.citrix.com/article/ctx114146 for information about installing an intermediate certificate.

Why am I getting a “resource already exists” error when I try to install a certificate on the NetScaler?

See the article at http://support.citrix.com/article/CTX117284 for instructions for resolving the “resource already exists” error.

I want to create a server certificate on a NetScaler appliance to test and evaluate the product. What is the procedure to create a server certificate?

Perform the following procedure to create a test certificate.

Note: A certificate created with this procedure cannot be used to authenticate all the users and browsers. After using the certificate for testing, you must obtain a server certificate signed by an authorized Root certificate authority.

To create a self-signed server certificate:

  1. To create a Root CA certificate, at the CLI, type:

    create ssl rsakey /nsconfig/ssl/test-ca.key 1024
    
    create ssl certreq /nsconfig/ssl/test-ca.csr -keyfile /nsconfig/ssl/test-ca.key
    
    Enter the required information when prompted, and then type the following command:
    
    create ssl cert /nsconfig/ssl/test-ca.cer /nsconfig/ssl/test-ca.csr ROOT_CERT -keyfile /nsconfig/ssl/test-ca.key
    <!--NeedCopy-->
    
  2. Perform the following procedure to create a server certificate and sign it with the root CA certificate that you just created

    1. To create the request and the key, at the CLI, type:

      create ssl rsakey /nsconfig/ssl/test-server.key 1024
      
          create ssl certreq /nsconfig/ssl/test-server.csr -keyfile /nsconfig/ssl/test-server.key
      <!--NeedCopy-->
      
    2. Enter the required information when prompted.

    3. To create a serial-number file, at the CLI, type:

      shell
       # echo '01' >
      /nsconfig/ssl/serial.txt
       # exit
      <!--NeedCopy-->
      
    4. To create a server certificate signed by the root CA certificate created in step 1, at the CLI, type:

      create ssl cert /nsconfig/ssl/test-server.cer /nsconfig/ssl/test-server.csr SRVR_CERT -CAcert /nsconfig/ssl/test-ca.cer -CAkey /nsconfig/ssl/test-ca.key -CAserial /nsconfig/ssl/serial.txt
      <!--NeedCopy-->
      
    5. To create a NetScaler cert-key pair, which is the in-memory object that holds the server certificate information for SSL handshakes and bulk encryption, at the CLI, type:

      add ssl certkey test-certkey -cert /nsconfig/ssl/test-server.cer -key /nsconfig/ssl/test-server.key
      <!--NeedCopy-->
      
    6. To bind the cert-key pair to the SSL virtual server, at the CLI, type:

      bind ssl vserver <vServerName> -certkeyName <cert_name>
      <!--NeedCopy-->
      

I have received a NetScaler appliance on which NetScaler software release 9.0 is installed. I have noticed an extra license file on the appliance. Is there any change in the licensing policy starting with NetScaler software release 9.0?

Yes. Starting with NetScaler software release 9.0, the appliance might not have a single license file. The number of license files depends on the NetScaler software release edition. For example, if you have installed the Advanced edition, you might need extra license files for the full functionality of the various features. However, if you have installed the Premium edition, the appliance has only one license file.

How do I export the certificate from the Internet Information Service (IIS)?

There are many ways, but by using the following method the appropriate certificate and private key for the website are exported. This procedure must be performed on the actual IIS server.

  1. Open the Internet Information Services (IIS) Manager administration tool.

  2. Expand the websites node and locate the SSL-enabled website that you want to serve through the NetScaler appliance.

  3. Right-click this website and click Properties.

  4. Click the Directory Security tab and, in the Secure Communications section of the window, select the View Certificate box.

  5. Click the Details tab, and then click Copy to File.

  6. On the Welcome to the Certificate Export Wizard page, click Next.

  7. Select Yes, export the private key, and click Next.

    Note: The private key MUST be exported for SSL Offload to work on the NetScaler.

  8. Make sure that the Personal Information Exchange -PKCS #12 radio button is selected, and select only the Include all certificates in the certification path if possible check box. Click Next.

  9. Enter a password and click Next.

  10. Enter a file name and location, and then click Next. Give the file an extension of .PFX.

  11. Click Finish.

How do I convert the PKCS#12 certificate and install it on the NetScaler?

  1. Move the exported .PFX certificate file to a location from where it can be copied to the NetScaler appliance. That is, to a machine that permits SSH access to the management interface of a NetScaler appliance. Copy the certificate to the appliance by using a secure copy utility such as SCP.

  2. Access the BSD shell and convert the certificate (for example, cert.PFX) to .PEM format:

    root@ns# openssl pkcs12 -in cert.PFX -out cert.PEM
    <!--NeedCopy-->
    
  3. To make sure that the converted certificate is in the correct x509 format, verify that the following command produces no error:

    root@ns# openssl x509 -in cert.PEM -text
    <!--NeedCopy-->
    
  4. Verify that the certificate file contains a private key. Begin by issuing the following command:

    root@ns# cat cert.PEM
    
    Verify that the output file includes an RSA PRIVATE KEY section.
    
    -----BEGIN RSA PRIVATE KEY-----
    Mkm^s9KMs9023pz/s...
    -----END RSA PRIVATE KEY-----
    <!--NeedCopy-->
    

    The following is another example of an RSA PRIVATE KEY section:

        Bag Attributes
        1.3.6.1.4.1.311.17.2: <No Values>
        localKeyID: 01 00 00 00
        Microsoft CSP Name: Microsoft RSA SChannel Cryptographic
        Provider
        friendlyName:
        4b9cef4cc8c9b849ff5c662fd3e0ef7e_76267e3e-6183-4d45-886e-6e067297b38f
    
        Key Attributes
        X509v3 Key Usage: 10
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-EDE3-CBC,43E7ACA5F4423968
        pZJ2SfsSVqMbRRf6ug37Clua5gY0Wld4frPIxFXyJquUHr31dilW5ta3hbIaQ+Rg
    
        ... (more random characters)
        v8dMugeRplkaH2Uwt/mWBk4t71Yv7GeHmcmjafK8H8iW80ooPO3D/ENV8X4U/tlh
    
        5eU6ky3WYZ1BTy6thxxLlwAullynVXZEflNLxq1oX+ZYl6djgjE3qg==
        -----END RSA PRIVATE KEY-----
    <!--NeedCopy-->
    

    The following is a SERVER CERTIFICATE section:

        Bag Attributes
        localKeyID: 01 00 00 00
        friendlyName: AG Certificate
        subject=/C=AU/ST=NSW/L=Wanniassa/O=Dave Mother
        Asiapacific/OU=Support/CN=davemother.food.lan
        issuer=/DC=lan/DC=food/CN=hotdog
        -----BEGIN CERTIFICATE-----
        MIIFiTCCBHGgAwIBAgIKCGryDgAAAAAAHzANBgkqhkiG9w0BAQUFADA8MRMwEQYK
    
        ... (more random characters) 5pLDWYVHhLkA1pSxvFjNJHRSIydWHc5ltGyKqIUcBezVaXyel94pNSUYx07NpPV/
    
        MY2ovQyQZM8gGe3+lGFum0VHbv/y/gB9HhFesog=
        -----END CERTIFICATE-----
    <!--NeedCopy-->
    

    The following is an INTERMEDIATE CA CERTIFICATE section:

        Bag Attributes: <Empty Attributes>
        subject=/DC=lan/DC=food/CN=hotdog
        issuer=/DC=lan/DC=food/CN=hotdog
        -----BEGIN CERTIFICATE-----
        MIIESDCCAzCgAwIBAgIQah20fCRYTY9LRXYMIRaKGjANBgkqhkiG9w0BAQUFADA8
    
        ... (more random characters) Nt0nksawDnbKo86rQcNnY5xUs7c7pj2zxj/IOsgNHUp5W6dDI9pQoqFFaDk=
    
        -----END CERTIFICATE-----
    <!--NeedCopy-->
    

    Further Intermediate CA certificates might follow, depending on the certification path of the exported certificate.

  5. Open the .PEM file in a text editor

  6. Locate the first line of the .PEM file and the first instance of the following line, and copy those two lines and all the lines between them:

    -----END CERTIFICATE-----
    
    Note: Make sure that last copied line is the first
    -----END CERTIFICATE----- line in the .PEM file.
    
    <!--NeedCopy-->
    
  7. Paste the copied lines into a new file. Call the new file something intuitive, such as cert-key.pem. This certificate-key pair is for the server hosting the HTTPS service. This file must contain both the section labeled RSA PRIVATE KEY and the section labeled SERVER CERTIFICATE in the preceding example.

    Note: The certificate-key pair file contains the private key and must be kept secure.

  8. Locate any subsequent sections beginning with —–BEGIN CERTIFICATE—– and ending with —END CERTIFICATE—–, and copy each such section to a separate new file.

    These sections correspond to certificates of trusted CAs that have been included in the certification path. These sections must be copied and pasted into new individual files for these certificates. For example, the INTERMEDIATE CA CERTIFICATE section of the preceding example must be copied and pasted into a new file).

    For multiple intermediate CA certificates in the original file, create files for each intermediate CA certificate in the order in which they appear in the file. Keep track (using appropriate file names) of the order in which the certificates appear, as they must be linked together in the correct order in a later step.

  9. Copy the certificate-key file (cert-key.pem) and any additional CA certificate files into the /nsconfig/ssl directory on the NetScaler appliance.

  10. Exit the BSD shell and access the NetScaler prompt.

  11. Follow the steps in “Install the certificate-key files on the appliance” to install the key/certificate once uploaded on the device.

How do I convert the PKCS#7 certificate and install it on the NetScaler appliance?

You can use OpenSSL to convert a PKCS #7 Certificate to a format recognizable by the NetScaler appliance. The procedure is identical to the procedure for PKCS #12 certificates, except that you invoke OpenSSL with different parameters. The steps for converting PKCS #7 certificates are as follows:

  1. Copy the certificate to the appliance by using a secure copy utility, such as SCP.

  2. Convert the certificate (for example, cert.P7B) to PEM format:

    openssl pkcs7 -inform DER -in cert.p7b -print_certs -text -out cert.pem
    <!--NeedCopy-->
    
  3. Follow steps 3 through 7 as described in the answer for PKCS #12 certificates. Note: Before loading the converted PKCS #7 certificate to the appliance, verify that it contains a private key, exactly as described in step 3 for the PKCS #12 procedure. PKCS #7 certificates, particularly the certificates exported from IIS, do not typically contain a private key.

When I bind a cipher to a virtual server or service by using the bind cipher command, I see the error message “Command deprecated.”?

The command for binding a cipher to a virtual server or service has changed.

Use the bind ssl vserver <vsername> -ciphername <ciphername> command to bind an SSL cipher to an SSL virtual server.

Use the bind ssl service <serviceName> -ciphername <ciphername> command to bind an SSL cipher to an SSL service.

Note: New ciphers and cipher groups are added to the existing list and not replaced.

Why can’t I create a cipher group and bind ciphers to it by using the add cipher command?

The add cipher command functionality has changed in release 10. The command only creates a cipher group. To add ciphers to the group, use the bind cipher command.

OpenSSL

How do I use OpenSSL to convert certificates between PEM and DER?

To use OpenSSL, you must have a working installation of the OpenSSL software and be able to run OpenSSL from the command line.

x509 certificates and RSA keys can be stored in several different formats.

Two common formats are:

  • DER (a binary format used primarily by Java and Macintosh platforms)
  • PEM (a base64 representation of DER with header and footer information, which is used primarily by UNIX and Linux platforms).

A key and the corresponding certificate, in addition to the root and any intermediate certificates, can also be stored in a single PKCS#12 (.P12, .PFX) file.

Procedure

Use the OpenSSL command to convert between formats as follows:

  1. To convert a certificate from PEM to DER:

    x509 -in input.crt -inform PEM -out output.crt -outform DER
    <!--NeedCopy-->
    
  2. To convert a certificate from DER to PEM:

    x509 -in input.crt -inform DER -out output.crt -outform PEM
    <!--NeedCopy-->
    
  3. To convert a key from PEM to DER:

    rsa -in input.key -inform PEM -out output.key -outform DER
    <!--NeedCopy-->
    
  4. To convert a key from DER to PEM:

    rsa -in input.key -inform DER -out output.key -outform PEM
    <!--NeedCopy-->
    

    Note: If the key you are importing is encrypted with a supported symmetric cipher, you are prompted to enter the pass phrase.

    Note: To convert a key to or from the obsolete NET (Netscape server) format, substitute NET for PEM or DER as appropriate. The stored key is encrypted in a weak unsalted RC4 symmetric cipher, so a pass phrase is requested. A blank pass phrase is acceptable.

System Limits

What are the important numbers to remember?

  1. Create Certificate Request:

    • Request File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • PEM Passphrase (For Encrypted Key): Maximum 31 characters
    • Common Name: Maximum 63 characters
    • City: Maximum 127 characters
    • Organization Name: Maximum 63 characters
    • State/Province Name: Maximum 63 characters
    • Email Address: Maximum 255 Characters
    • Organization Unit: Maximum 63 characters
    • Challenge Password: Maximum 20 characters
    • Company Name: Maximum 127 characters
  2. Create Certificate:

    • Certificate File Name: Maximum 63 characters
    • Certificate Request File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • PEM Passphrase: Maximum 31 characters
    • Validity Period: Maximum 3650 days
    • CA Certificate File Name: Maximum 63 characters
    • CA Key File Name: Maximum 63 characters
    • PEM Passphrase: Maximum 31 characters
    • CA Serial Number File: Maximum 63 characters
  3. Create and Install a Server Test Certificate:

    • Certificate File Name: Maximum 31 characters
    • Fully Qualified Domain Name: Maximum 63 characters
  4. Create Diffie-Hellman (DH) key:
    • DH File Name (with path): Maximum 63 characters
    • DH Parameter Size: Maximum 2048 bits (starting from release 14.1-25.x, maximum limit is increased to 4096)

    Note:

    For Cavium platforms, the maximum limit is 2048 bits.

    Starting from release 14.1-25.x, you can create DH keys up to 4096 bits on the some of the Intel Coleto and Intel Lewisburg-based platforms, and on the platforms where SSL processing is performed only in the software. Earlier the size was restricted to 2048 bits.

    To create a DH key of more than 2048 bits, use the OpenSSL command from the NetScaler shell prompt.

    For more information on Intel Coleto and Intel Lewisburg-based platforms, see Diffie-Hellman parameters generation and achieving PFS with DHE.

  5. Import PKCS12 key:

    • Output File Name: Maximum 63 characters
    • PKCS12 File Name: Maximum 63 characters
    • Import Password: Maximum 31 characters
    • PEM Passphrase: Maximum 31 characters
    • Verify PEM Passphrase: Maximum 31 characters
  6. Export PKCS12
    • PKCS12 File Name: Maximum 63 characters
    • Certificate File Name: Maximum 63 characters
    • Key File Name: Maximum 63 characters
    • Export Password: Maximum 31 characters
    • PEM Passphrase: Maximum 31 characters
  7. CRL Management:
    • CA Certificate File Name: Maximum 63 characters
    • CA Key File Name: Maximum 63 characters
    • CA Key File Password: Maximum 31 characters
    • Index File Name: Maximum 63 characters
    • Certificate File Name: Maximum 63 characters
  8. Create RSA Key:
    • Key File Name: Maximum 63 characters
    • Key Size: Maximum 4096 bits
    • PEM Passphrase: Maximum 31 characters
    • Verify Passphrase: Maximum 31 characters
  9. Change advanced SSL settings:
    • Maximum CRL memory size: Maximum 1024 Mbytes
    • Encryption trigger timeout (10 mS ticks): Maximum 200
    • Encryption trigger packet count: Maximum 50
    • OCSP cache size: Maximum 512 Mbytes
  10. Install Certificate:
    • Certificate-Key pair Name: Maximum 31 characters
    • Certificate File Name: Maximum 63 characters
    • Private Key File Name: Maximum 63 characters
    • Password: Maximum 31 characters
    • Notification Period: Maximum 100
  11. Create Cipher Group:
    • Cipher Group Name: Maximum 39 characters
  12. Create CRL:
    • CRL Name: Maximum 31 characters
    • CRL File: Maximum 63 characters
    • URL: Maximum 127 characters
    • Base DN: Maximum 127 characters
    • Bind DN: Maximum 127 characters
    • Password: Maximum 31 characters
    • Days: Maximum 31
  13. Create SSL Policy:
    • Name: Maximum 127 characters
  14. Create SSL Action:
    • Name: Maximum 127 characters
  15. Create OCSP Responder:
    • Name: Maximum 32 characters
    • URL: Maximum 128 characters
    • Batching Depth: Maximum 8
    • Batching Delay: Maximum 10000
    • Produced At Time Skew: Maximum 86400
    • Request Time-out: Maximum120000
  16. Create Virtual Server:
    • Name: Maximum 127 characters
    • Redirect URL: Maximum 127 characters
    • Client Time-out: Maximum 31536000 secs
  17. Create Service:
    • Name: Maximum 127 characters
    • Idle Time-out (secs): Client: Maximum 31536000 Server: Maximum 31536000
  18. Create Service Group:
    • Service Group Name: Maximum 127 characters
    • Server ID: Maximum 4294967295
    • Idle Time-out (secs): Client: Maximum value 31536000 Server: Maximum 31536000
  19. Create Monitor:
    • Name: Maximum 31 characters
  20. Create Server:
    • Server Name: Maximum 127 characters
    • Domain Name: Maximum 255 characters
    • Resolve Retry: Maximum 20939 secs
SSL FAQs