Jump to content
Welcome to our new Citrix community!

Replacing default certificates for management on SDX NetScaler (14030 FIPS) appliances


Recommended Posts

Replacing default certificates for management on SDX NetScaler (14030 FIPS) appliances

 

Hi there, I have had a search around for this topic but cannot find a definitive answer so maybe someone could point me in the right direction please.

We currently have several SDX's which themselves will be running multiple VPX instances. Some of these VPX instances are configured with FIPS.

 

We have read the best practice to not use the default installed cert/key pair but to generate/obtain your own. So we are planning to create a key pair/CSR from each VPX instance to be signed off by our own internal CA and then uploading the certificate back to replace the default.

 

With regard to the SDX/SVM, we will also replace its default certificate/key pair by using a NetScaler VM instance to CSR and keys. Question is should we use CSR and keys from a non-FIPS VM instance or from a FIPS VM instance?

 

Thanks for reading and I appreciate any feedback.

Link to comment
Share on other sites

The key file, CSR file and Certificate file are the same, whether used on a FIPS or non-FIPS appliance.

 

From a practical perspective, if you create a key file within a FIPs instance, you can not export that key (although it is quite possible to import an external key into a FIPs instance - but if the current FIPS hardware is anything like the previous generation, you may need to decrypt the key file - use OpenVPN). So, to get a key file for an SDX, you can't use a FIPs Netscaler, you'll need to use another way.

 

For your SDX, you can either generate the key / CSR on a (non-FIPs) VPX as you suggest, or just use your Certificate generating system to create key, CSR and cert, and import the key & cert.

  • Like 2
Link to comment
Share on other sites

  • 1 year later...

You can still create RSA key files and generate a CSR using a non-FIPS key.  These just can't be installed for use on the FIPS-enabled VPX unless you import that RSA key file into a wrapped FIPS key. 

 

You CAN generate the key file and your CSR on a FIPS-enabled VPX, then download the key file for import into the SDX SVM.  See high level steps below:

 

For certificates intended to secure the SDX Service VM (SVM), you will need the RSA private key file and the PKCS#7 certificate public key file. Below are some high level steps.

1.       On an ADC, navigate to Traffic Management / SSL (this is where you will find the links for executing steps 2, 3, and 4)

2.       Create the RSA key file. (from step 1, click on “Create RSA Key” under the SSL Keys section)

3.       Create the CSR (using non-FIPS key) and select the RSA key file created in step 2. (from step 1, click on “Create CSR (using non-FIPS key)” under the SSL Certificates section)

4.       Manage Certificates / Keys / CSRs. (from step 1, click on “Manage Certificates / Keys / CSRs” under the Tools section)

5.       View the CSR

6.       Copy the text and submit to the certificate authority

7.       Download the key file for uploading the SVM after the certificate has been signed by the certificate authority

 

On 6/22/2018 at 7:11 PM, Paul Blitz said:

The key file, CSR file and Certificate file are the same, whether used on a FIPS or non-FIPS appliance.

 

From a practical perspective, if you create a key file within a FIPs instance, you can not export that key (although it is quite possible to import an external key into a FIPs instance - but if the current FIPS hardware is anything like the previous generation, you may need to decrypt the key file - use OpenVPN). So, to get a key file for an SDX, you can't use a FIPs Netscaler, you'll need to use another way.

 

For your SDX, you can either generate the key / CSR on a (non-FIPs) VPX as you suggest, or just use your Certificate generating system to create key, CSR and cert, and import the key & cert.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...