Contents

1 Abstract

2 Naming Standards

3 Uploading and installing the SSL Certificate, Key, and Chain.

3.1 GUI

3.2 CLI

3.3 Invalid Private Key Error with Fix

4 Binding the Certificates and Profiles

4.1 GUI

4.2 CLI

5 Updating SSL Ciphers with an SSL profile

5.1 GUI

5.2 CLI

6 Reference Links

Abstract

All  virtual servers are to be configured as content switching virtual servers. As a result, SSL termination is configured on a content switching virtual server of the SSL protocol type. SSL Termination requires that the certificate, key, and chain be uploaded, installed, and linked together . Then the trio are bound to a virtual server. SSL ciphers are selected using an SSL profile which can be bound to the virtual server. By default the NetScaler binds ns_default_ssl_profile_frontend which the kick limits to only a few select strong ciphers.

Naming Standards

For naming standards see the NetScaler Standards Page

Uploading and installing the SSL Certificate, Key, and Chain.

GUI

There are multiple places to upload these files in the GUI depending on where you are in the virtual server creation process. This wiki outlines two places regardless of whether you are in the process of creating a new virtual server or not.

First select "Manage Certificates/Keys/CSRs" from the SSL menu under configuration.

SSL Termination on Citrix NetScaler_第1张图片

At this point you can select upload and proceed to upload the files from your local box or go to action >> import and paste in a PEM of each.

SSL Termination on Citrix NetScaler_第2张图片

After the SSL certificate, key, and chain have been uploaded you have to install them. To start with navigate to Configuration >> Traffic

Management >> SSL >> Certificates >> Server Certificates and select "Install"

SSL Termination on Citrix NetScaler_第3张图片

Select your certificate and key in the new window that opens. If you uploaded the certificate and key in the way described above, select "appliance" in the drop down menu from "choose file". Alternatively, you can upload the certificate and key from your local box by selecting "local" instead.

SSL Termination on Citrix NetScaler_第4张图片

Repeat the same process for the CA Certificate under Install CA Certificate.

SSL Termination on Citrix NetScaler_第5张图片

Finally, you need to link the server cert with the CA cert by navigating to the server certificate section, selecting the server certificate and then selecting "link" from the action menu.

SSL Termination on Citrix NetScaler_第6张图片

Select the CA certificate from the drop down menu in the next window.

SSL Termination on Citrix NetScaler_第7张图片

CLI

You can SCP the certificate, key, and chain directly to the NetScaler and then bind them via the CLI. Upload the files in PEM format to the NetScaler in the /flash/nsconfig/ssl directory. The files will sync to the secondary device when the configuration is saved. Alternatively, you can use a text editor (or simply "cat >") to paste in the files directly into your terminal.

SCP from your local box

scp gu=@@@support.dfw1.gateway.example.com:/flash/nsconfig/ssl/

- sample -

scp nglab.example.corp.key gu=username@[email protected]@support.dfw1.gateway.example.com:/flash/nsconfig/ssl

/nglab.example.corp.key

After the files are on the device, run the following to bind them into a certKey configuration object and link the chain.

Create binding on Netscaler

add ssl certKey -cert -key -expiryMonitor DISABLED

add ssl certKey -cert -bundle YES -expiryMonitor DISABLED

link ssl certKey

- sample -

add ssl certKey wild.nglab.example.corp -cert nglab.example.corp.crt -key nglab.example.corp.key -expiryMonitor DISABLED

add ssl certKey Example_Internal_Root_CA -cert Example_Internal_Root_CA.crt -bundle YES -expiryMonitor DISABLED

link ssl certKey wild.nglab.example.corp Example_Internal_Root_CA

Invalid Private Key Error with Fix

An error seen recently while installing the certificate key pair was quickly resolved using CTX134233.

wps2A5C.tmpwps2A5D.tmpError: When installing the cert key pair, either via GUI or CLI, you receive the following message: Invalid private key, or PEM pass phrase required for this private key

wps2A5E.tmpThe issue is due to hidden space control characters within the key

wps2A5F.tmpwps2A60.tmpwps2A61.tmpIt is an easy fix using the steps below: Log in to NetScaler via SSH Switch to Shell

wps2A62.tmpGo to the /nsconfig/ssl directory

wps2A72.tmpwps2A73.tmpRun the following openssl command to remove the hidden characters openssl rsa -in current_keyfilename -out NEW_keyfilename

wps2A74.tmpInstall the new certificate key pair

Binding the Certificates and Profiles

GUI

Select the Content Switching Virtual Server that you want to bind the SSL certificate to by going to Configuration >> Traffic Management >> Content Switching >> Virtual Servers and then selecting the virtual server and clicking on "edit".

SSL Termination on Citrix NetScaler_第8张图片

On the far right under "Advanced Settings" in the new window click on "Certificates" to add the menu option to the pane on the left. Then select "Server Certificate" and add your certificate. Click bind and then continue.

SSL Termination on Citrix NetScaler_第9张图片

CLI

Binding the SSL certificate is a one line command in the CLI.

Bind the certKey to the VIP

bind ssl vserver -certkeyName

- sample -

bind ssl vserver CS_198.61.138.199_443 -certkeyName wild.nglab.example.corp

Updating SSL Ciphers with an SSL profile

SECURE SSL profile

Starting with release 12.1, Citrix has included an SSL profile named "ns_default_ssl_profile_secure_frontend" that is designed to get an A+ rating on SSL labs. This can be used in lieu of the more permissive SSLPROF_RAX_DEFAULT profile if the customer requires the additional security or the A+ rating.

SECURE SSL Profile Profile

LB-NETSCALER-Primary> show ssl profile ns_default_ssl_profile_secure_frontend

1) Name: ns_default_ssl_profile_secure_frontend (Front-

End)

SSLv3: DISABLED TLSv1.0: DISABLED TLSv1.1: DISABLED TLSv1.2: ENABLED TLSv1.3: DISABLED

Client Auth: DISABLED

Use only bound CA certificates: DISABLED Strict CA checks: NO

Session Reuse: ENABLED Timeout: 120 seconds

DH: DISABLED

DH Private-Key Exponent Size Limit: DISABLED Ephemeral

RSA: ENABLED Refresh Count: 0

Deny SSL Renegotiation NONSECURE Non FIPS Ciphers: DISABLED

Cipher Redirect: DISABLED SSL Redirect: DISABLED Send Close-Notify: YES

Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED

DHE Key Exchange With PSK: NO

Tickets Per Authentication Context: 1

Push Encryption Trigger: Always

PUSH encryption trigger timeout: 1 ms

SNI: DISABLED

OCSP Stapling: DISABLED

Strict Host Header check for SNI enabled SSL

sessions: NO

Push flag: 0x0 (Auto)

SSL quantum size: 8 kB Encryption trigger timeout 100 mS Encryption trigger packet count: 45

Subject/Issuer Name Insertion Format: Unicode

SSL Interception: DISABLED

SSL Interception OCSP Check: ENABLED

SSL Interception End to End Renegotiation: ENABLED

SSL Interception Maximum Reuse Sessions per Server: 10

Session Ticket: DISABLED HSTS: ENABLED

HSTS IncludeSubDomains: YES HSTS Max-Age: 15552000

ECC Curve: P_256, P_384, P_224, P_521

1) Cipher Name: SECURE Priority :2

Description: Predefined Cipher Alias

Done

GUI

First you need to create an SSL profile with the desired cipher list. Navigate to Configuration >> System >> Profiles >> SSL Profile and click

"Add"

SSL Termination on Citrix NetScaler_第10张图片

In the new window add your desired name and select any options that you want. SSL protocols and SNI settings are toward the

bottom. Then click "OK" at the bottom. Halfway down the next window you will see SSL ciphers. Click on the pencil "edit" button on the right.

SSL Termination on Citrix NetScaler_第11张图片

Click on the "add" button with the green cross that pops up and you will be presented with a window that will allow you to add whatever

ciphers you need. You can add an entire group or just a few specific ciphers. The Example kick will come with a group for recommended defaults. Add your ciphers to the configured list on the right and remove any you do not want. Then click "OK".

SSL Termination on Citrix NetScaler_第12张图片

Apply the SSL profile by going to Configuration >> Traffic Management >> Content Switching >> Virtual Servers and then selecting your virtual server and clicking "edit".

SSL Termination on Citrix NetScaler_第13张图片

On the edit screen click the pencil "edit" button to the right of the SSL profile section and then select your new profile via the drop down box. Click "OK" and then "Done".

SSL Termination on Citrix NetScaler_第14张图片

CLI

Creating SSL profiles via the CLI may not be feasible in all situations as you will need to know exactly which cipher strings or groups you want to add as well as any other options that you want to enable or disable.

Create SSL Profile

add ssl profile

bind ssl profile   -cipherName -cipherPriority <#>

- sample -

add ssl profile SSL_TEST_PROFILE -se***euse ENABLED -sessTimeout 120 bind ssl profile SSL_TEST_PROFILE -cipherName HIGH -cipherPriority 1

bind ssl profile SSL_TEST_PROFILE -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 2

bind ssl profile SSL_TEST_PROFILE -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 3

Adding the SSL profile to the VIP is a one line command.

Bind the SSL profile to the Virtual Server

set ssl vserver -sslProfile

- sample -

set ssl vserver CS_198.61.138.199_443 -sslProfile SSL_TEST_PROFILE

Reference Links

ssl certKey:

https://developer-docs.citrix.com/projects/netscaler-command-reference/en/12.0/ssl/ssl-certkey/ssl-certkey/

Secure Profile:

https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-profiles/secure-front-end-profile.html

Invalid Private Key Error:

https://support.citrix.com/article/CTX134233