Zero touch certificate management FAQs
Basic questions
Is the zero touch certificate management feature recommended for customers with many appliances and thousands of SSL VIPs?
The zero touch certificate management feature is particularly beneficial in large-scale deployments, where automated processes can significantly streamline the management of certificates and keys across multitude of virtual servers.
Does the zero-touch certificate management feature affect performance?
The performance of the system remains unaffected, ensuring that all operations continue to run smoothly and efficiently.
How is the distribution of certificates be managed? Will all certificates be available on every NetScaler, or can we specify which certificates are distributed to particular NetScaler?
All onboarded NetScaler instances that have the zero touch certificate management feature enabled will poll and retrieve all certificates from the certificate repository on NetScaler Console.
Are the certificates and keys fetched by NetScaler stored only in memory, or are they also saved to the NetScaler file system?
The metadata for the certificates and keys is stored exclusively in memory.
What should we do if a client does not support the SNI extension?
While SNI-based use cases account for 80% to 90% of all internet traffic, in enterprise environments some client might not send an SNI in the Client Hello message. In such cases, the administrator must configure a default SNI at the application level and ensure the corresponding certificate is available in the certificate repository on NetScaler Console. This certificate then can be used during the handshake if the client does not send an SNI.
Will it be necessary to allocate additional memory to a VPX in order to support all the certificates?
No, additional memory is not be required to support all the certificates.
Will this include certificates for SAML signing and OCSP responders?
Currently zero-touch management does not support SAML signing and OCSP responders.
If a customer has multiple certificates that match the SNI, which one will the NetScaler choose? Will it always prefer the most specific FQDN certificate, or the one with the longest validity period?
When multiple certificates share the same SNI, the certificate with the longest validity period is marked as active and used for the TLS session.
If we enable zero touch certificate management on a NetScaler instance today, will it apply to all virtual IP addresses, including those that already have a certificate bound, or only to virtual IP addresses without SSL certificates?
When zero touch certificate management is enabled on a NetScaler instance, applications that do not have a server certificate bound will automatically have zero touch certificate management active for their server certificates. This also applies to CA certificates for virtual IP addresses and services.
Does the NetScaler CLI display the certificate binding on the virtual IP addresses? Since this information does not appear in the NetScaler GUI, identifying the bindings in the CLI may assist customers with troubleshooting needs?
Certificate configuration will not be required in this scenario. For effective troubleshooting, NetScaler Console features a Zero Touch Usage dashboard that automatically displays the generated certificate key pairs and their associated domain. If the correct certificate for a domain has been uploaded to the certificate repository, administrators can track it through the Zero Touch Usage dashboard. It is not possible to display bindings per virtual IP address because there is no binding model in place. Instead, the appropriate certificate for the domain is served dynamically during the handshake process, based on the incoming Server Name Indication (SNI) from the client side.
The NetScaler CLI displays the certificates and keys installed on NetScaler. When the Certificate Source is shown as REMOTE, it indicates that the certificate was fetched from the zero touch certificate repository on NetScaler Console. A status of ACTIVE means that the certificate can be used in TLS sessions if zero touch certificate management is enabled on that virtual IP address or service.
Does NetScaler Console require any additional memory allocation?
NetScaler Console does not require any additional memory allocation.