Jump to content
Welcome to our new Citrix community!

New SSL certificate using the same name as the old certificate, Will it result in Netscaler doesn't recognize that the certificate has been updated


sam wang1709161204

Recommended Posts

The SSL Certificate is going to be expired, I would like to renew the SSL Certificate and prefer to continutely using the same name as the old certificate.   But my friend told me this won't work, because the certificate's name is the same as old one, it will not cause the Netscaler to recognize that the certificate has been updated, although the old .cer, .key has been replaced by the new one at./nsconfig/ssl/    If it is like what my friend said,  can I use a command to refresh ?  So the Netscaler will recongize it has reload the new certificate.


slb1a(Primary)> sh run | grep vs-eaa6200
   add lb vserver vs-eaa6200 SSL 10.1.1.1 443 -persistenceType NONE -lbMethod ROUNDROBIN -cltTimeout 180 -netProfile vs-prd2-nat -icmpVsrResponse ACTIVE
  bind lb vserver vs-eaa6200 sg-estcp-443
   set ssl vserver vs-eaa6200 -ssl3 DISABLED -tls11 DISABLED -tls12 DISABLED
  bind ssl vserver vs-eaa6200 -certkeyName cert-test2009
  bind ssl vserver vs-eaa6200 -eccCurveName P_256
  bind ssl vserver vs-eaa6200 -eccCurveName P_384
  bind ssl vserver vs-eaa6200 -eccCurveName P_224
  bind ssl vserver vs-eaa6200 -eccCurveName P_521


slb1a(Primary)> sh run | grep cert-test2009
   add ssl certKey cert-test2009 -cert eaaSSL.cer -key eaaSSL.key -passcrypt "wdsfdsajlk23klkjl6j"
  link ssl certKey cert-test2009 ica-cert2.cer
  bind ssl vserver vs-eaa6200 -certkeyName cert-test2009

Link to comment
Share on other sites

I've generated a few hundred SSL certificates over the past 20 years for clients, and many of them were renewals for NetScalers with the same name as the original.

While the name (FQDN) may be the same, the Thumbprints and expiration dates will be different. There is absolutely no problem using the same name.

As an aside, I prefer to generate my CSRs on a Windows IIS server, and, after merging the certificate from the CA with the private key, exporting the pair and then importing it onto the NetScaler. This is especially true when generating wildcard certificates, since I can more easily copy them to other servers.

Link to comment
Share on other sites

11 hours ago, Sam Jacobs said:

I've generated a few hundred SSL certificates over the past 20 years for clients, and many of them were renewals for NetScalers with the same name as the original.

While the name (FQDN) may be the same, the Thumbprints and expiration dates will be different. There is absolutely no problem using the same name.

As an aside, I prefer to generate my CSRs on a Windows IIS server, and, after merging the certificate from the CA with the private key, exporting the pair and then importing it onto the NetScaler. This is especially true when generating wildcard certificates, since I can more easily copy them to other servers.

 

9 hours ago, Mihai Cziraki1709160741 said:

you could use  this :

update ssl certKey cert-test2009 -cert newSSL.cer -key newSSL.cer  -password xxxxxxxx

 

Thank you very much !!!  Those comments are great useful for me. 

Link to comment
Share on other sites

On 9/6/2019 at 12:17 AM, Sam Jacobs said:

I've generated a few hundred SSL certificates over the past 20 years for clients, and many of them were renewals for NetScalers with the same name as the original.

While the name (FQDN) may be the same, the Thumbprints and expiration dates will be different. There is absolutely no problem using the same name.

As an aside, I prefer to generate my CSRs on a Windows IIS server, and, after merging the certificate from the CA with the private key, exporting the pair and then importing it onto the NetScaler. This is especially true when generating wildcard certificates, since I can more easily copy them to other servers.

 

I have also used IIS to generate certificates, and newer versions of NetScalers seem to support PFX files directly without the need for conversions.  Just basically select the PFX file and enter the password.

cert.jpg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...