Jump to content
Welcome to our new Citrix community!

Need a recommendation for SSPR encryption certificate


nlffel439

Recommended Posts

Hello,

for the encryption of the SSPR (KBA) string a certificate is needed that I bind via the CLI command "bind vpn global -userDataEncryptionKey MyCertificate".
 

The problem, which one is best for this and what happens if you exchange it after expiration ? 
 

My understanding is that after swapping, you would not be able to decrypt the existing strings because the certificate that was used for this is no longer bound.

Do you have any experience here that you can share with me ? 
 

Thanks a lot ?

Link to comment
Share on other sites

10 minutes ago, Julian Jakob said:

I never used SSPR with NetScaler, but often the native OTP with encrypted keys, so this is the same command to bind a certificate for the encryption of all OTPs. I renewed and exchanged this certificate a lot in the past, no issues. I always used a certificate from an internal PKI.

 

Hi Julian,
thank you very much for your answer.

According to the Citrix documentation, when you change the certificate, you have to redo the KBA registration (https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/sspr-support.html#display-user-registration-and-management-screen). 
 

 image.thumb.png.879312b192da8e81d8c1b510526f5c79.png

 

 

What kind of certificate did you use ? I always get "Invalid certificate" for server or client certificate.
Until now I have only been able to test it with a public wildcard.
 

Thanks a lot 

 

Link to comment
Share on other sites

1 hour ago, nlffel439 said:

 

Hi Julian,
thank you very much for your answer.

According to the Citrix documentation, when you change the certificate, you have to redo the KBA registration (https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/sspr-support.html#display-user-registration-and-management-screen). 
 

 image.thumb.png.879312b192da8e81d8c1b510526f5c79.png

 

 

What kind of certificate did you use ? I always get "Invalid certificate" for server or client certificate.
Until now I have only been able to test it with a public wildcard.
 

Thanks a lot 

 

 

Hi ,

 

I have recently gone through this process. 

 

What happens is the encrypted attribute becomes unreadable as it was encrypted with the old expired certificate. The result of this is when a user tries to reset their password it does not work as it tries to unencrypt the KBA attributes using the new cert.  

 

The only fix I could think of was to clear the user attribute via PowerShell for all users, so they register for the KBA questions again.

 

I need to log a ticket with Citrix about it but to say the experience with Citrix support is painful is an understatement. 

 

If you find anything out, please let me know. 

****************************

It is off-topic for this post, but you will also find an issue with the KBA registration screen where the "alternative email ID" is not validating the input as an email address. So, a user could register "dfhfjdgfhsgf" and it would accept it but when it comes to resetting the password it will error as that is not an email address to send the OTP to. 

 

Have lost faith in Citrix the ADC is a buggy mess. 

 

 

 

Link to comment
Share on other sites

  • 1 month later...

We use SSPR across multiple ADCs, each hosting a gateway.  The gateways are part of a much larger GSLB deployment. The certificate should not be tied to a specific site, but rather a purpose. Example. SSPRSharedCert. If you genreate the key and csr on 1 NetScaler, the key and cert can be exported then uploaded into another NetScaler Since this is not a site specific cert, renewing it is not a big deal. "the certificate must be uploaded"

 

First use a GUI and export the cert and key you need from the first NetScaler,

 

Next, use GUI to upload the cert and key on the second NetScaler

 

Then via putty (ssh) 

add ssl certKey SSPRSharedCert -cert SSPRCert.cer -key SSPRSharedCertKey -passcrypt PASSWORD
bind vpn global -userDataEncryptionKey SSPRSharedCert

 

So far this has worked rather well. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...