Jump to content

certificate installation: Netscaler VPX 13.x

Tom Lyczko

Recommended Posts

We have one NetScaler VPX running


Recently we had to renew and reinstall our SSL SAN certificate.

Luckily Namecheap had correct instructions about how to create the certificate and so far as I could see it went properly.


However -- installing the certificate was a different story.


I *think* I got it installed correctly -- the browsers display the correct padlock symbol and apparently uses the certificate.


However -- when I run the Qualys SSL Labs test -- I get this:


Additional Certificates (if supplied)

Certificates provided 1 (1924 bytes)

Chain issues Incomplete

We get downgraded to B because of this chain issues incomplete.


And further down it says certain items are an additional download, e.g.

1 Sent by server mls.mountainlakeservices.org
Fingerprint SHA256: 
Pin SHA256: 
RSA 2048 bits (e 65537) / SHA256withRSA

2 Extra download Sectigo RSA Domain Validation Secure Server CA
Fingerprint SHA256: 
Pin SHA256: 
RSA 2048 bits (e 65537) / SHA384withRSA

3 In trust store USERTrust RSA Certification Authority   Self-signed
Fingerprint SHA256: 
Pin SHA256: 
RSA 4096 bits (e 65537) / SHA384withRSA


Even Namecheap's instructions for actually installing the SSL certificate DO NOT MATCH what's shown in the NetScaler interface and I have not found anything that correctly matches the NetScaler 13.x web interface for installing the certificate.


Please don't provide Citrix's instructions, they are even worse and completely do not match the NS 13.x web interface.


Does anyone know of any correctly written instructions for installing a SSL certificate on NetScaler 13.x??


Thank you, Tom

Link to comment
Share on other sites

I've done more reading, I thought I did the linking of the certificate bundle to the main certificate correctly, I've concluded that somehow this might not have worked correctly?? Netscaler certs work way different than Windows certs and I've not found any instructions that I can understand with only my Windows certs experience. Maybe I should redo the cert with a different starting point, e.g. one of our other servers?? -- and then import into NetScaler??

Link to comment
Share on other sites

I will try your instructions -- though they assume the cert was installed on a Windows server then imported into NetScaler, whereas in our situation the cert was actually created on the NetScaler, which is the main domain in the SAN SSL domain list. When I did the linking I see something called ________ ic and I thought this was what gets linked. But SSL Labs only says I have an incomplete chain. I'm thinking about starting over with using a different server as the main domain and having the NetScaler be one of the alternate domains.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...