2013 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Modifying and Monitoring Certificates and
Keys To avoid downtime when replacing a certificate-key pair, you can update an existing certificate. If you want to replace a certificate with a certificate that was issued to a different domain, you must disable domain checks before updating the certificate. To receive notifications about certificates due to expire, you can enable the expiry monitor.
Updating an Existing Server Certificate
When you remove or unbind a certificate from a configured SSL virtual server, or an SSL service, the virtual server or service becomes inactive until a new valid certificate is bound to it. To avoid downtime, you can use the update feature to replace a certificate-key pair that is bound to an SSL virtual server or an SSL service, without first unbinding the existing certificate.
To update an existing certificate-key pair by using the
NetScaler command line At the NetScaler command prompt, type the following commands to update an existing certificate-key pair and verify the configuration:
-key /nsconfig/ssl/pkey.pem Done > show ssl certkey siteAcertkey Name: siteAcertkey Status: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity Not Before: Nov 11 14:58:18 2001 GMT Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security
Modifying and Monitoring Certificates and Keys
Public Key Algorithm: rsaEncryption Public Key size: 1024 Done
Parameters for updating an existing certificate-key pair
certkeyName The name of the certificate key pair that you want to update with a new certificate or a new key, or both. cert The name of the new certificate with which you want to update the certificate key pair. key The name of the private with which key you want to update an existing certificate key pair. Note: The new certificate and key should be in local storage on the NetScaler. If the files are not stored in the default /nsconfig/ssl folder, provide the absolute path to the files.
To update an existing certificate-key pair by using the
configuration utility 1. In the navigation pane, expand SSL, and then click Certificates. 2. Select the certificate you want to update, and then click Update. 3. Use the Browse button next to the Certificate File name and the Key File name and select the new certificate and key files respectively. 4. If the key in encrypted, in the Password text box, type the password used to encrypt the key. 5. Click OK. In SSL Certificates pane, select the certificate that you just updated and verify that the settings displayed at the bottom of the screen are correct.
Disabling Domain Checks
When an SSL certificate is replaced on the NetScaler, the domain name mentioned on the new certificate should match the domain name of the certificate being replaced. For example, if you have a certificate issued to abc.com, and you are updating it with a certificate issued to def.com, the certificate update fails. However, if you want the server that has been hosting a particular domain to now host a new domain, you can disable the domain check before updating its certificate.
Modifying and Monitoring Certificates and Keys
To disable the domain check for a certificate by using the
NetScaler command line At the NetScaler command prompt, type the following commands to disable the domain check and verify the configuration:
update ssl certKey <certkeyName> -noDomainCheck
show ssl certKey <certkeyName>
Example
> update ssl certKey sv -noDomainCheck
Done > show ssl certkey sv Name: sv Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky Format: PEM Status: Valid, Days to expiration:9349 Certificate Expiry Monitor: DISABLED Done
To disable the domain check for a certificate by using the
configuration utility 1. In the navigation pane, expand SSL, and then click Certificates. 2. Select the certificate you want to update, and then click Update. 3. Select No Domain Check, and then click OK. The domain check for the certificate is now disabled.
Enabling the Expiry Monitor
An SSL certificate is valid for a specific period of time. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. An expiry monitor configured on the NetScaler appliance creates entries in the appliance's syslog and nsaudit logs when a certificate configured on the appliance is due to expire. If you want to create SNMP alerts for certificate expiration, you must configure them separately. For information about monitoring on the NetScaler, see .
Modifying and Monitoring Certificates and Keys
To enable an expiry monitor for a certificate by using the
NetScaler command line At the NetScaler command prompt, type the following commands to enable an expiry monitor for a certificate and verify the configuration:
set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED )
[-notificationPeriod <positive_integer>]]
show ssl certKey <certkeyName>
Example
> set ssl certKey sv -expiryMonitor ENABLED notificationPeriod 60
Done > show ssl certkey sv Name: sv Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky Format: PEM Status: Valid, Days to expiration:9349 Certificate Expiry Monitor: ENABLED Expiry Notification period: 60 days Done
Parameters for enabling an expiry monitor
certKeyName The name of the certificate-key pair whose expiry monitor is configured. expiryMonitor Enable or disable the expiry monitor for the certificate-key pair notificationPeriod The number of days in advance that the NetScaler should warn about a certificate that is about to expire.
Modifying and Monitoring Certificates and Keys
To enable an expiry monitor for a certificate by using the
configuration utility 1. In the navigation pane, expand SSL, and then click Certificates. 2. Select the certificate you want to update, and then click Update. 3. Select the Enable option. 4. In the Notification Period text box, type the required notification period value. Note: The notification period parameter can be set to any value between 10 and 100 days and the default notification period is 30 days. 5. Click OK. In the SSL Certificates pane, select the certificate that you just configured and verify that the settings displayed at the bottom of the screen are correct.