Legacy SSL profile
Citrix recommends using the enhanced profiles instead of legacy profiles. For information about the enhanced profile infrastructure, see SSL profile infrastructure.
Bind an SSL profile to an SSL virtual server. Do not bind a DTLS profile to an SSL virtual server. For information about DTLS profiles, see DTLS Profiles.
You can use an SSL profile to specify how a NetScaler processes SSL traffic. The profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. You are not limited to configuring only one set of global parameters. You can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:
- Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client.
- Back-end profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server.
Unlike a TCP or HTTP profile, an SSL profile is optional. Therefore, there is no default SSL profile. The same profile can be reused across multiples entities. If an entity does not have a profile attached, the values set at the global level apply. For dynamically learned services, current global values apply.
The following table lists the parameters that are part of each profile.
|Front end profile||Back-end profile|
|dh, dhFile, dhCount||pushEncTriggerTimeout|
|tls1, tls11, tls12||-|
* The clearTextPort parameter applies only to an SSL virtual server.
An error message appears if you try to set a parameter that is not part of the profile. For example, if you try to set the clientAuth parameter in a back-end profile.
Some SSL parameters, such as CRL memory size, OCSP cache size, UndefAction Control, and UndefAction Data, are not part of any of the preceding profiles, because these parameters are independent of entities.
An SSL profile supports the following operations:
- Add—Creates an SSL profile on the NetScaler. Specify whether the profile is front end or back end. Front end is the default.
- Set—Modifies the settings of an existing profile.
- Unset—Sets the specified parameters to their default values. If you do not specify any parameters, an error message appears. If you unset a profile on an entity, the profile is unbound from the entity.
- Remove—Deletes a profile. A profile that is being used by any entity cannot be deleted. Clearing the configuration deletes all the entities. As a result, the profiles are also deleted.
- Show—Displays all the profiles that are available on the NetScaler. If a profile name is specified, the details of that profile are displayed. If an entity is specified, the profiles associated with that entity are displayed.
Create an SSL profile by using the CLI
- To add an SSL profile, type:
add ssl profile <name> [-sslProfileType ( BackEnd | FrontEnd )] <!--NeedCopy-->
- To modify an existing profile, type:
set ssl profile <name> <!--NeedCopy-->
- To unset an existing profile, type:
unset ssl profile <name> [-dh] [-dhFile] [-dhCount] [-eRSA]… <!--NeedCopy-->
- To unset an existing profile from an entity, type:
unset ssl vserver <vServerName> –sslProfile <!--NeedCopy-->
- To remove an existing profile, type:
rm ssl profile <name> <!--NeedCopy-->
- To display an existing profile, type:
sh ssl profile <name> <!--NeedCopy-->
Create an SSL profile by using the GUI
Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile.
Enable stricter control on client certificate validation
The NetScaler appliance accepts valid Intermediate-CA certificates if a single Root-CA has issued them. That is, if only the Root-CA certificate is bound to the virtual server, and that Root-CA validates any of the intermediate certificates sent with the client certificate, the appliance trusts the certificate chain and the handshake is successful.
However, if a client sends a chain of certificates in the handshake, the intermediate certificates can be validated by using a CRL or OCSP responder only if that certificate is bound to the SSL virtual server. Therefore, even if one of the intermediate certificates is revoked, the handshake is successful. As part of the handshake, the SSL virtual server sends the list of CA certificates that are bound to it. For stricter control, you can configure the SSL virtual server to accept only a certificate that one of the CA certificates bound to that virtual server has signed. To do so, you must enable the
ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server. The handshake fails if one of the CA certificates bound to the virtual server has not signed the client certificate.
For example, say two client certificates, clientcert1 and clientcert2, are signed by the intermediate certificates Int-CA-A and Int-CA-B, respectively. The intermediate certificates are signed by the root certificate Root-CA. Int-CA-A and Root-CA are bound to the SSL virtual server. In the default case (ClientAuthUseBoundCAChain disabled), both clientcert1 and clientcert2 are accepted. However, if ClientAuthUseBoundCAChain is enabled, the NetScaler appliance only accepts clientcert1.
Enable stricter control on client certificate validation by using the CLI
At the command prompt, type:
set ssl profile <name> -ClientAuthUseBoundCAChain Enabled
Enable stricter control on client certificate validation by using the GUI
- Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile, or select an existing profile.
- Select Enable Client Authentication using bound CA Chain.