NetScaler: Public Certificates

I’ll cover the whole story on NetScaler certificate in time, but for now, this is a little note about Intermediate certificates as I have just spent a while trying to remember how I did it previously.

Intermediate Certificates

When browsing to my NetScaler Gateway URL from a Windows PC, all was fine and there were no certificate errors, however my Android told a different store and complained the certificate was invalid. On most Linux-based device (including Apple Mac) the certificate from your web server needs to be ‘tied’ to the Certificate Authority’s certificate (root). This is done by using an Intermediate Certificate. On Windows, Microsoft take care of this for us, but on Linux, the intermediate certificate has to come from our web server.

Obtaining

The intermediate certificate is downloaded from the Certificate Authority e.g. VeriSign (Symantec), GoDaddy etc… The Intermediate certificate to download depending on the type of certificate purchased. For example VeriSign’s Premium Extended Validation Intermediate is different to the cheaper Premium. Once in your VeriSign portal, it becomes quite clear. With VeriSign, once I’ve located the correct Intermediate Cert, I simply copy and paste it into a new notepad session and save it as inter.csr. For GoDaddy, you download what they call the Certificate Bundle as a zip. Normally at the same time as your actual certificate although it can be downloaded later.

Installation

To install the intermediate certificate on a NetScaler is so simple, it’s often confusing. The following are the steps to complete, based on NS10.1: Build 119.7.nc:

  1. Obtain your intermediate certificate (see notes above).
  2. Log in to the NetScaler as an admin user (nsroot). Use either ADC or Gateway. (I don’t think it matters which is used, but the location of “SSL” in the menus might vary.)
  3. Expand SSL.
  4. Click Certificates.
  5. Click Install…
  6. Enter a Certificate-Key Pair Name: GoDaddy-Interm. This is what shows in the list and any selection drop-downs.
  7. To the right of Certificate File Name field, click the drop-down next to Browse and click Local
  8. Navigate to the location of the previously obtained intermediate certificate file (gd_bundle.crt).
  9. Click Create.

Link

Finally, the Intermediate Certificate has to be linked to the server certificate.
  1. Right-click the server certificate and select Link…
  2. Select GoDaddy-Interm certificate and click OK.
Browse to the NetScaler’s URL from your Android and you should no longer get a certificate warning.

Please feel free to leave a comment...