Jump to content
Welcome to our new Citrix community!

Resource unavailable to Modify Certificate certkey_name


William Olmstead

Recommended Posts

Just got ADM setup and trying to update a cert and getting the following error "Resource unavailable to Modify Certificate certkey_name".  I did see that it uploaded the new cert to the ADC and I verified the certkey name but still getting the error.  Something that seems simple, so not sure why it is not working.  I did verify the cerkey name from the cmd line and the cert/key on the server.

 

Edit, I see I put this in the wrong forum.  I don't' see how I can delete it, so if it can be moved please move to the ADM group, if not can it be deleted and I can recreate in the correct forum.

 

TIA,

 

Keith

Edited by William Olmstead
wrong forum.
Link to comment
Share on other sites

Just to clarify are you trying to get the ADM to update a set of cert files on the ADC, but you uploaded the files to the ADC first?  Or are you updating a certkey, but it won't let you replace the files?  (If neither is what you meant the following will not apply; feel free to clarify.)

 

If you want the ADM to update the cert files, the files must be uploaded to the ADM and then you can use them to push files to the ADC.

Basically if you're in the NetScaler/ADC instance you use the GUI to load files "from appliance" you see the ADC's /nsconfig/ssl directory.

If you are in ADM and use it to push files to an ADC, then when you use the "from appliance" option you are seeing source files from the SSL directory on the ADM, but files will go to the target ADC's /nsconfig/ssl directory. ADM does not show the target ADC directory.

 

So, start with files "local" and then use ADM to upload file to ADC. This will then result in the files on the ADM appliance <source> directory and then you can push to multiple adc's. Files still get to the target ADC's; but ADM doesn't "see" the ADC's /nsconfig/ssl directory.

 

The other issue might be with ADM pushing certs to the ADC, if you are updating an existing certkey with replacement cert/key files, the ADM must use new file names and will not overwrite the file names on the target ADC.  (Again, if you did this in the ADC, you could overwrite the names; but the ADM won't.)

 

Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

Just to clarify are you trying to get the ADM to update a set of cert files on the ADC, but you uploaded the files to the ADC first?  Or are you updating a certkey, but it won't let you replace the files?  (If neither is what you meant the following will not apply; feel free to clarify.)

 

If you want the ADM to update the cert files, the files must be uploaded to the ADM and then you can use them to push files to the ADC.

Basically if you're in the NetScaler/ADC instance you use the GUI to load files "from appliance" you see the ADC's /nsconfig/ssl directory.

If you are in ADM and use it to push files to an ADC, then when you use the "from appliance" option you are seeing source files from the SSL directory on the ADM, but files will go to the target ADC's /nsconfig/ssl directory. ADM does not show the target ADC directory.

 

So, start with files "local" and then use ADM to upload file to ADC. This will then result in the files on the ADM appliance <source> directory and then you can push to multiple adc's. Files still get to the target ADC's; but ADM doesn't "see" the ADC's /nsconfig/ssl directory.

 

The other issue might be with ADM pushing certs to the ADC, if you are updating an existing certkey with replacement cert/key files, the ADM must use new file names and will not overwrite the file names on the target ADC.  (Again, if you did this in the ADC, you could overwrite the names; but the ADM won't.)

 

 

I am using ADM to update a certificate.  I choose the cert on my local system that my CA created.  It is valid and good.  They key is the same since it is just an update.  When I hit the update button, it gives the above error.  When I go look at what is on the ADC in the /nsconfig/ssl/ directory, I see that the ADM uploaded the new cert to the ADC in the previous step, but threw the above error.  I do rename the new cert something different before I hit the update button so it does not overwrite the old certificate for backup purposes.

 

One thought is that I just built out the ADM on 13.1, but my ADC is 12.1, so I am wondering if it is because of version differences.

 

--Keith

Link to comment
Share on other sites

 

Updating a certkey, keeps the same name; but the files have to be different names if done by ADM (by adc, you can overwrite files with same names).  13.1 ADM should be able to manage 12.1 adc.

 

You can try to update the cert from the ADC to see if it likes the files as is.  You can also, try on a test vpx (if you have one), using the ADM to use your files to create a brand new certkey with those files just to make sure they are valid. You can also look at syslog on the ADC for specific audit errors that might indicate a more specific issue.

 

When you update the certkey are you specifying both the new cert and the original key file to use?  (Setting both fields, even if private key isn't changing?)

Or are you creating a new certkey instance with the new cert but previous private key (which probably won't work; as it would be a duplicate of an existing certkey.)

Any chance you don't have full admin rights on target ADC?

 

 

 

 

 

Link to comment
Share on other sites

9 minutes ago, Rhonda Rowland1709152125 said:

 

Updating a certkey, keeps the same name; but the files have to be different names if done by ADM (by adc, you can overwrite files with same names).  13.1 ADM should be able to manage 12.1 adc.

 

You can try to update the cert from the ADC to see if it likes the files as is.  You can also, try on a test vpx (if you have one), using the ADM to use your files to create a brand new certkey with those files just to make sure they are valid. You can also look at syslog on the ADC for specific audit errors that might indicate a more specific issue.

 

When you update the certkey are you specifying both the new cert and the original key file to use?  (Setting both fields, even if private key isn't changing?)

Or are you creating a new certkey instance with the new cert but previous private key (which probably won't work; as it would be a duplicate of an existing certkey.)

Any chance you don't have full admin rights on target ADC?

 

 

 

 

 

I have no problem updating the certkey from the cmd line or the GUI within the ADC.  That is they way we usually update it, but since I just now got ADM up and going and the SSL dashboard in the ADM seems like a good resource to use.  I tailed the ns.log and nothing came across when I tried to update the cert.  I am using the same certkey instance but just updating the existing cert with a new one.   I have full rights on the ADC.

 

I have attached a screenshot of the error with the cert/key/ip removed.  The IP address has the IP of the active SNIP, the cert has the new cert, and the key is the existing key.

ADM-SSL-error.png

Link to comment
Share on other sites

36 minutes ago, Rhonda Rowland1709152125 said:

 

Updating a certkey, keeps the same name; but the files have to be different names if done by ADM (by adc, you can overwrite files with same names).  13.1 ADM should be able to manage 12.1 adc.

 

You can try to update the cert from the ADC to see if it likes the files as is.  You can also, try on a test vpx (if you have one), using the ADM to use your files to create a brand new certkey with those files just to make sure they are valid. You can also look at syslog on the ADC for specific audit errors that might indicate a more specific issue.

 

When you update the certkey are you specifying both the new cert and the original key file to use?  (Setting both fields, even if private key isn't changing?)

Or are you creating a new certkey instance with the new cert but previous private key (which probably won't work; as it would be a duplicate of an existing certkey.)

Any chance you don't have full admin rights on target ADC?

 

 

 

 

 

I have no problem updating the certkey from the cmd line or the GUI within the ADC.  That is they way we usually update it, but since I just now got ADM up and going and the SSL dashboard in the ADM seems like a good resource to use.  I tailed the ns.log and nothing came across when I tried to update the cert.  I am using the same certkey instance but just updating the existing cert with a new one.   I have full rights on the ADC.

 

I have attached a screenshot of the error with the cert/key/ip removed.  The IP address has the IP of the active SNIP, the cert has the new cert, and the key is the existing key.

 

----

 

I found a audit log in ADM and it seems that it can't put the key file to the ADC from ADM.  It is failing to scp the key file on the ADM.  I wonder if it needs the key file on the ADM server even though it is an existing key file is already on the ADC.

Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

 

Updating a certkey, keeps the same name; but the files have to be different names if done by ADM (by adc, you can overwrite files with same names).  13.1 ADM should be able to manage 12.1 adc.

 

You can try to update the cert from the ADC to see if it likes the files as is.  You can also, try on a test vpx (if you have one), using the ADM to use your files to create a brand new certkey with those files just to make sure they are valid. You can also look at syslog on the ADC for specific audit errors that might indicate a more specific issue.

 

When you update the certkey are you specifying both the new cert and the original key file to use?  (Setting both fields, even if private key isn't changing?)

Or are you creating a new certkey instance with the new cert but previous private key (which probably won't work; as it would be a duplicate of an existing certkey.)

Any chance you don't have full admin rights on target ADC?

 

 

 

 

 

I have no problem updating the certkey from the cmd line or the GUI within the ADC.  That is they way we usually update it, but since I just now got ADM up and going and the SSL dashboard in the ADM seems like a good resource to use.  I tailed the ns.log and nothing came across when I tried to update the cert.  I am using the same certkey instance but just updating the existing cert with a new one.   I have full rights on the ADC.

 

I have attached a screenshot of the error with the cert/key/ip removed.  The IP address has the IP of the active SNIP, the cert has the new cert, and the key is the existing key.

 

----

 

I found a audit log in ADM and it seems that it can't put the key file to the ADC from ADM.  It is failing to scp the key file on the ADM.  I wonder if it needs the key file on the ADM server even though it is an existing key file is already on the ADC.

 

----

 

Ok, that worked.  Even though I had the key already on the ADC, it needed me to upload it again or for it to be on the ADM already so it can push it to the vpx.  Seems kind of redundant imo, and here is the "info" button next to the key field in the ADM, "File name of the private key used to create the certificate. The key file must be present on the Citrix ADC SDX virtual appliance."

Link to comment
Share on other sites

SCP or file rights makes more sense.

 

So typically, if using ADM you do NOT want the "new" files already on the target ADC. ADM will not overwrite files with same name on ADC either.

 

Start with the ADM and when you update certkey on existing ADC, start by using the "upload files" from local (your endpoint) which will bring the files to the ADM AND push them to the /nsconfig/ssl/ directory on the ADC.  Next cert you update, the "from appliance" in the ADM will be the ADM's ssl repositor (on behalf of the adc's) and you can push to others.

But ADM does not see files on the /nsconfig/ssl directory of the ADC in this context.

 

If still an issue, make sure there are no ACLs or issues with your account on the ADC, the ADM, or the scp between adm and adc.

 

 

 

 

Link to comment
Share on other sites

27 minutes ago, Rhonda Rowland1709152125 said:

I think we cross posted; but I think you figured it out too. So, great!

 

Yup,  This tibit that you mentioned is good to know..

 

"ADM will not overwrite files with same name on ADC either"

 

It is good to know that I can put the existing key that is on the ADC on the ADM and then load it up like it is a new key and it will not overwrite what is already on the ADC.  We do use the same key sometimes for multiple sites, so good to know it won't affect exsting.

 

Thank you for your help

Link to comment
Share on other sites

4 hours ago, William Olmstead said:

"ADM will not overwrite files with same name on ADC either"

I should clarify it didn't use to. I haven't tried that exact scenario recently; but it is usually the issue with cert management. You may want to setup an explicit test to CONFIRM if you need to make sure that safety is still in effect.  

Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

I should clarify it didn't use to. I haven't tried that exact scenario recently; but it is usually the issue with cert management. You may want to setup an explicit test to CONFIRM if you need to make sure that safety is still in effect.  

 

I will try that just to make sure.  I have plenty of dev/test cert/key combos to try out.

 

TY

Link to comment
Share on other sites

On 10/14/2022 at 3:23 PM, Rhonda Rowland1709152125 said:

I should clarify it didn't use to. I haven't tried that exact scenario recently; but it is usually the issue with cert management. You may want to setup an explicit test to CONFIRM if you need to make sure that safety is still in effect.  

 

I will try that just to make sure.  I have plenty of dev/test cert/key combos to try out.

 

TY

 

---

 

It did change the key even though it was already on the VPX, just fyi.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...