Jump to content
Welcome to our new Citrix community!

SHA256 4096 SSL Cert on NetScaler (11) and IIS (6.2)


Recommended Posts

I have a client who has a NetScaler 11 and IIS (6.2) StoreFront server. He got a new SSL Cert which is SHA256 4096 bit.

 

Everything works fine on the NEtScaler and on IIS, but when we access the site externally and pass through the NetScaler internally the internal end does not load. I just get a "connection reset" error.

 

I assume it is because of the SSL Cert. I changed the internal to be just HTTP for now and users can log in and access desktops and apps.

 

Is there a fix for this? Or do I need to have my client go back to a SHA256 2048 Cert?

Link to comment
Share on other sites

7 minutes ago, Roberto Perez1709157566 said:

I have a client who has a NetScaler 11 and IIS (6.2) StoreFront server. He got a new SSL Cert which is SHA256 4096 bit.

 

Everything works fine on the NEtScaler and on IIS, but when we access the site externally and pass through the NetScaler internally the internal end does not load. I just get a "connection reset" error.

 

I assume it is because of the SSL Cert. I changed the internal to be just HTTP for now and users can log in and access desktops and apps.

 

Is there a fix for this? Or do I need to have my client go back to a SHA256 2048 Cert?

Hello,

 

Are you using a VPX?

 

If so, it's probably because of your certificate at 4096 bits.

 

You could have a look here: https://support.citrix.com/article/CTX206268

 

 

2048-bit client certificate (if client authentication is enabled on the virtual server

 

Thanks

Arnaud

Link to comment
Share on other sites

Yes, it is a VPX.

 

Thank you for the link, I read through that and now have more questions. It states a VPX appliance supports 4096-bit server certificate on the virtual server, which I have set. It also states, 4096-bit certificate on the back-end server which is what this configuration is. The back-end server is an IIS/StoreFront server.

 

There is authentication, but that's AD Integration, so thoroughly confused as to what is actually supported.

 

Furthermore, I see that it states, From release 11.0, the default certificate on a NetScaler appliance is 2048-bits. Does that mean that a v11 VPX only supports 2048-bit?

 

I 'm thinking that's what it means especially since this VPX does not have any SSL chip assigned to it that I know of.

 

Thanks for the assistance Arnaud!

Link to comment
Share on other sites

8 minutes ago, Roberto Perez1709157566 said:

Yeah, I agree.

 

That's what I'm leaning toward as well. I checked the NetScaler and the two previous SSL certs were 2048 and they had no issues with them.

 

Not until yesterday when they put the new 4096-bit certificate.

 

Thanks for the assist!

 

You're welcome.

 

Please update if switching back to 2048 bits certificate solve the issue and mark the question as answered.

 

Thanks

Arnaud

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...