Jump to content
Welcome to our new Citrix community!

Certificate Upgrading

Recommended Posts

Note:  If you have a Citrix ADM, you can also manage certs from there. But I'll start with the ADC options first.


From the ADC:

1) The easiest way to see which certkeys are in use on which vservers via the cli and grep. A couple of ways to do this:

From cli:

# method 1: show all certkeys in cli (and other parameters) will show all bindings to vservers (lb/cs/vpn/other) and management services

show ns runningconfig | grep certkey -i


# method 2:  show all "bind ssl vserver" commands with a certkey parameter; will show all vservers of all types; but misses management services; but excludes some of the ssl parameters which you don't need:

show ns runningconfig | grep "bind ssl vserver .* -certkey" -i


#method 3:  find the reference to every certkey by name (if you want to see certkey settings (files) and where it is in use aka bound)

show ns runningconfig | grep <certkeyname> -i


In GUI, it depends on version, but you can go to Traffic Management > SSL > Certificates. If you then have an "All certificates" node you can see every certkey on system to get certkey names (regardless of type).  Then you can choose one and then "Select Action >> Show Bindings".

If you don't have the "All Certificates" node, you'd look at the node for each type of certkey: Server | Client | CA | etc...

This is equivalent to the "show ns runningconfig" commands above, but you may note be able to see all certs at one time in the GUI.



2) To update your certificates. (Again, procedure is similar but slightly different if you use ADM).  Use its ssl dashboard to manage certs and update files across multiple managed ADC's.


From the ADC, itself the GUI is probably easiest.

First, a certkey is a cli object that is a pointer to the files on the file system (located in /nsconfig/ssl/).

Anytime a certificate is in use, the certkey cli object (literally the certificate-private key pair) is bound to an entity such as services/vservers and management services.  The entity is associated with the certkey object and the certkey points to the files on the file system.  Wildcard and multi-san certs can be in use across multiple entities.  Name-specific certs might be only used on a single entity.


Next, to change the certificate in use:  the simplest way is keep the certkey bound to the entity or entities using it and only change the files the certkey points to.


So if a couple  of lb vserver or vpn vservers use one wildcard certkey (wc-demo.certkey); which itself points to the actual certificate (/nsconfig/ssl/wc-demo.cer) and private key file (wc-demo.pem).  You can keep the entities bound to the current certkey:

bind ssl vserver lb_vsrv_demo1 -certkey wc-demo.certkey

bind ssl vserver lb_vsrv_demo2 -certkey wc-demo.certkey

bind ssl vserver vpn_vsrv_demo3 -certkey wc-demo.certkey


And just replace the certkey with the new files. Easily done as a certkey update in the GUI.  Traffic Management > SSL > Certificates > All Certificates. Select <certkey> and select Update.

update ssl certkey wc-demo.certkey -cert wc-demo2.cer -key wc-demo2.pem -password


Through the GUI you can upload files and they will go to the correct destination.  Through CLI, you'd have to upload cert files first to /nsconfig/ssl.  


You can also create a new certkey pointint to new files and unbind vserver from old certkey and then bind them to new one. But if you are keeping names the same and just updating certs (pre-expiration) the other method is preferred.


You can import separate cert/key files. You can also use one file (.cer) as both the cert and private key if it contains both elements. If you have a PKCS#12 bundle (.pfx) you can upload directly and they shouldn't need to be imported or converted.  Just reference the pfx as both the cert and private key.


Some additional examples here:  https://www.carlstalhood.com/netscaler-12-certificates/














  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...