Jump to content
Welcome to our new Citrix community!

Unknown CA in packet capture NetScaler

Mark Brilman

Recommended Posts



I have a scenario in which the NetScaler fails an SSL connection to a backend server saying Level=fatal(2), description=unknown CA in packet capture.

When I import the CA chain on the NetScaler. Link them together and bind the Root CA certificate to the service group the issue is gone.

When I unbind the Root CA certificate again I have this error back. The backend does not do client authentication.


I have never bound a Root CA certificate to a Service Group. What am I actually doing? Why is the NetScaler failing the connection when the Root CA certificate is not bound to the Service Group?

Link to comment
Share on other sites

Have you enabled server authentication by any chance ? 





Since the NetScaler appliance performs SSL offload and acceleration on behalf of a web server, the appliance does not usually authenticate the Web server’s certificate. However, you can authenticate the server in deployments that require end-to-end SSL encryption.

In such a situation, the appliance becomes the SSL client, carries out a secure transaction with the SSL server, verifies that a CA whose certificate is bound to the SSL service has signed the server certificate, and checks the validity of the server certificate.

To authenticate the server, you must first enable server authentication and then bind the certificate of the CA that signed the server’s certificate to the SSL service on the NetScaler appliance. When binding the certificate, you must specify the bind as CA option.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...