Modifying and Monitoring Certificates
Content
Modifying and Monitoring Certificates
and Keys
2013-06-29 21:41:28 UTC
© 2013 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Modifying and Monitoring Certificates and
Keys
To avoid downtime when replacing a certificate-key pair, you can update an existing
certificate. If you want to replace a certificate with a certificate that was issued to a
different domain, you must disable domain checks before updating the certificate.
To receive notifications about certificates due to expire, you can enable the expiry
monitor.
Updating an Existing Server Certificate
When you remove or unbind a certificate from a configured SSL virtual server, or an SSL
service, the virtual server or service becomes inactive until a new valid certificate is bound
to it. To avoid downtime, you can use the update feature to replace a certificate-key pair
that is bound to an SSL virtual server or an SSL service, without first unbinding the existing
certificate.
To update an existing certificate-key pair by using the
NetScaler command line
At the NetScaler command prompt, type the following commands to update an existing
certificate-key pair and verify the configuration:
•
update ssl certkey <certkeyName> -cert <string> -key <string>
•
show ssl certKey <certkeyName>
Example
> update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem
-key /nsconfig/ssl/pkey.pem
Done
> show ssl certkey siteAcertkey
Name: siteAcertkey
Status: Valid
Version: 3
Serial Number: 02
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech
Validity
Not Before: Nov 11 14:58:18 2001 GMT
Not After: Aug 7 14:58:18 2004 GMT
Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security
2
Modifying and Monitoring Certificates and Keys
Public Key Algorithm: rsaEncryption
Public Key size: 1024
Done
Parameters for updating an existing certificate-key pair
certkeyName
The name of the certificate key pair that you want to update with a new certificate or a
new key, or both.
cert
The name of the new certificate with which you want to update the certificate key pair.
key
The name of the private with which key you want to update an existing certificate key
pair.
Note: The new certificate and key should be in local storage on the NetScaler. If the files
are not stored in the default /nsconfig/ssl folder, provide the absolute path to the files.
To update an existing certificate-key pair by using the
configuration utility
1. In the navigation pane, expand SSL, and then click Certificates.
2. Select the certificate you want to update, and then click Update.
3. Use the Browse button next to the Certificate File name and the Key File name and
select the new certificate and key files respectively.
4. If the key in encrypted, in the Password text box, type the password used to encrypt
the key.
5. Click OK. In SSL Certificates pane, select the certificate that you just updated and
verify that the settings displayed at the bottom of the screen are correct.
Disabling Domain Checks
When an SSL certificate is replaced on the NetScaler, the domain name mentioned on the
new certificate should match the domain name of the certificate being replaced. For
example, if you have a certificate issued to abc.com, and you are updating it with a
certificate issued to def.com, the certificate update fails.
However, if you want the server that has been hosting a particular domain to now host a
new domain, you can disable the domain check before updating its certificate.
3
Modifying and Monitoring Certificates and Keys
To disable the domain check for a certificate by using the
NetScaler command line
At the NetScaler command prompt, type the following commands to disable the domain
check and verify the configuration:
•
update ssl certKey <certkeyName> -noDomainCheck
•
show ssl certKey <certkeyName>
Example
> update ssl certKey sv -noDomainCheck
Done
> show ssl certkey sv
Name: sv
Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem
Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky
Format: PEM
Status: Valid, Days to expiration:9349
Certificate Expiry Monitor: DISABLED
Done
To disable the domain check for a certificate by using the
configuration utility
1. In the navigation pane, expand SSL, and then click Certificates.
2. Select the certificate you want to update, and then click Update.
3. Select No Domain Check, and then click OK. The domain check for the certificate is now
disabled.
Enabling the Expiry Monitor
An SSL certificate is valid for a specific period of time. A typical deployment includes
multiple virtual servers that process SSL transactions, and the certificates bound to them
can expire at different times. An expiry monitor configured on the NetScaler appliance
creates entries in the appliance's syslog and nsaudit logs when a certificate configured on
the appliance is due to expire.
If you want to create SNMP alerts for certificate expiration, you must configure them
separately.
For information about monitoring on the NetScaler, see .
4
Modifying and Monitoring Certificates and Keys
To enable an expiry monitor for a certificate by using the
NetScaler command line
At the NetScaler command prompt, type the following commands to enable an expiry
monitor for a certificate and verify the configuration:
•
set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED )
[-notificationPeriod <positive_integer>]]
•
show ssl certKey <certkeyName>
Example
> set ssl certKey sv -expiryMonitor ENABLED –notificationPeriod 60
Done
> show ssl certkey sv
Name: sv
Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem
Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky
Format: PEM
Status: Valid, Days to expiration:9349
Certificate Expiry Monitor: ENABLED
Expiry Notification period: 60 days
Done
Parameters for enabling an expiry monitor
certKeyName
The name of the certificate-key pair whose expiry monitor is configured.
expiryMonitor
Enable or disable the expiry monitor for the certificate-key pair
notificationPeriod
The number of days in advance that the NetScaler should warn about a certificate that is
about to expire.
5
Modifying and Monitoring Certificates and Keys
To enable an expiry monitor for a certificate by using the
configuration utility
1. In the navigation pane, expand SSL, and then click Certificates.
2. Select the certificate you want to update, and then click Update.
3. Select the Enable option.
4. In the Notification Period text box, type the required notification period value.
Note: The notification period parameter can be set to any value between 10 and 100
days and the default notification period is 30 days.
5. Click OK. In the SSL Certificates pane, select the certificate that you just configured
and verify that the settings displayed at the bottom of the screen are correct.
6
and Keys
2013-06-29 21:41:28 UTC
© 2013 Citrix Systems, Inc. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Modifying and Monitoring Certificates and
Keys
To avoid downtime when replacing a certificate-key pair, you can update an existing
certificate. If you want to replace a certificate with a certificate that was issued to a
different domain, you must disable domain checks before updating the certificate.
To receive notifications about certificates due to expire, you can enable the expiry
monitor.
Updating an Existing Server Certificate
When you remove or unbind a certificate from a configured SSL virtual server, or an SSL
service, the virtual server or service becomes inactive until a new valid certificate is bound
to it. To avoid downtime, you can use the update feature to replace a certificate-key pair
that is bound to an SSL virtual server or an SSL service, without first unbinding the existing
certificate.
To update an existing certificate-key pair by using the
NetScaler command line
At the NetScaler command prompt, type the following commands to update an existing
certificate-key pair and verify the configuration:
•
update ssl certkey <certkeyName> -cert <string> -key <string>
•
show ssl certKey <certkeyName>
Example
> update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem
-key /nsconfig/ssl/pkey.pem
Done
> show ssl certkey siteAcertkey
Name: siteAcertkey
Status: Valid
Version: 3
Serial Number: 02
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech
Validity
Not Before: Nov 11 14:58:18 2001 GMT
Not After: Aug 7 14:58:18 2004 GMT
Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security
2
Modifying and Monitoring Certificates and Keys
Public Key Algorithm: rsaEncryption
Public Key size: 1024
Done
Parameters for updating an existing certificate-key pair
certkeyName
The name of the certificate key pair that you want to update with a new certificate or a
new key, or both.
cert
The name of the new certificate with which you want to update the certificate key pair.
key
The name of the private with which key you want to update an existing certificate key
pair.
Note: The new certificate and key should be in local storage on the NetScaler. If the files
are not stored in the default /nsconfig/ssl folder, provide the absolute path to the files.
To update an existing certificate-key pair by using the
configuration utility
1. In the navigation pane, expand SSL, and then click Certificates.
2. Select the certificate you want to update, and then click Update.
3. Use the Browse button next to the Certificate File name and the Key File name and
select the new certificate and key files respectively.
4. If the key in encrypted, in the Password text box, type the password used to encrypt
the key.
5. Click OK. In SSL Certificates pane, select the certificate that you just updated and
verify that the settings displayed at the bottom of the screen are correct.
Disabling Domain Checks
When an SSL certificate is replaced on the NetScaler, the domain name mentioned on the
new certificate should match the domain name of the certificate being replaced. For
example, if you have a certificate issued to abc.com, and you are updating it with a
certificate issued to def.com, the certificate update fails.
However, if you want the server that has been hosting a particular domain to now host a
new domain, you can disable the domain check before updating its certificate.
3
Modifying and Monitoring Certificates and Keys
To disable the domain check for a certificate by using the
NetScaler command line
At the NetScaler command prompt, type the following commands to disable the domain
check and verify the configuration:
•
update ssl certKey <certkeyName> -noDomainCheck
•
show ssl certKey <certkeyName>
Example
> update ssl certKey sv -noDomainCheck
Done
> show ssl certkey sv
Name: sv
Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem
Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky
Format: PEM
Status: Valid, Days to expiration:9349
Certificate Expiry Monitor: DISABLED
Done
To disable the domain check for a certificate by using the
configuration utility
1. In the navigation pane, expand SSL, and then click Certificates.
2. Select the certificate you want to update, and then click Update.
3. Select No Domain Check, and then click OK. The domain check for the certificate is now
disabled.
Enabling the Expiry Monitor
An SSL certificate is valid for a specific period of time. A typical deployment includes
multiple virtual servers that process SSL transactions, and the certificates bound to them
can expire at different times. An expiry monitor configured on the NetScaler appliance
creates entries in the appliance's syslog and nsaudit logs when a certificate configured on
the appliance is due to expire.
If you want to create SNMP alerts for certificate expiration, you must configure them
separately.
For information about monitoring on the NetScaler, see .
4
Modifying and Monitoring Certificates and Keys
To enable an expiry monitor for a certificate by using the
NetScaler command line
At the NetScaler command prompt, type the following commands to enable an expiry
monitor for a certificate and verify the configuration:
•
set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED )
[-notificationPeriod <positive_integer>]]
•
show ssl certKey <certkeyName>
Example
> set ssl certKey sv -expiryMonitor ENABLED –notificationPeriod 60
Done
> show ssl certkey sv
Name: sv
Cert Path: /nsconfig/ssl/complete/server/server_rsa_512.pem
Key Path: /nsconfig/ssl/complete/server/server_rsa_512.ky
Format: PEM
Status: Valid, Days to expiration:9349
Certificate Expiry Monitor: ENABLED
Expiry Notification period: 60 days
Done
Parameters for enabling an expiry monitor
certKeyName
The name of the certificate-key pair whose expiry monitor is configured.
expiryMonitor
Enable or disable the expiry monitor for the certificate-key pair
notificationPeriod
The number of days in advance that the NetScaler should warn about a certificate that is
about to expire.
5
Modifying and Monitoring Certificates and Keys
To enable an expiry monitor for a certificate by using the
configuration utility
1. In the navigation pane, expand SSL, and then click Certificates.
2. Select the certificate you want to update, and then click Update.
3. Select the Enable option.
4. In the Notification Period text box, type the required notification period value.
Note: The notification period parameter can be set to any value between 10 and 100
days and the default notification period is 30 days.
5. Click OK. In the SSL Certificates pane, select the certificate that you just configured
and verify that the settings displayed at the bottom of the screen are correct.
6
