Intermediate Certificates: Installing Certs on a NetScaler Part 2

In part 1, we went over the installation process for a certificate. Now that we have our base certificate installed, we need to get the Intermediate certificate installed. Some certificate providers offer the ability to download your certificate, any Root certificate, and the Intermediate certificate in one bundle. For those providers, you will need to look up their instructions on how to utilize a bundle such as that. The NetScaler will work with certificate bundles and the results may be quicker. However, we are going to continue on as if you did not have the option for a certificate bundle and now need to install the Intermediate certificate.

The very first thing you will need to do is to download the correct Intermediate certificate from you provider. Most certificate providers keep their Intermediate certificate download links in their support site. Because there are many different types of certificates (basic, wildcard, multi-domain, etc.), you need to download the Intermediate certificate that matches your certificate type. Once you have the Intermediate certificate, here are the steps to installing it:

  1. Install the certificate received from the provider (Configuration → Traffic Management → SSL → Certificates → Install):
    Netscaler B1
  2. Still on the certificates page, select the original certificate (the one you are getting the Intermediate for). Under the ‘Action’ options, choose ‘Link’:
    Netscaler B3
  3. From the list of certificates shown, select the Intermediate certificate.

That is all it takes. You can now check your certificate status with a certificate checker tool (the cert provider usually has one to utilize). You should not see any issues pertaining to an Intermediate certificate. Going back to the example given in a previous blog, you can now try to connect the devices that had issue connecting to the provided certificate alone.

The example given in the blogs for installing a certificate and Intermediate certificate were shown through the GUI. The GUI is translated to command line syntax when it is executed. Therefore, if you would like, you can install certificates from a commend line. We will not go into detail on this procedure, but the basic command lines for it are ‘add ssl certkey’ and ‘link ssl certkey’. Look up those commands should you wish to do everything from command line.

Please post your comments or questions below. You can also reach me directly by email.

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
craig.kalty@customsystems.com

 

 

 

©2015 Custom Systems Corporation

Intermediate Certificates: Installing Certs on a NetScaler Part 1

In a previous post, we discussed the purpose of installing an Intermediate certificate. One of the purposes of that post was to segue into this topic. We used the example of a NetScaler to demonstrate the need for an Intermediate certificate. If you haven’t yet, I suggest you read that post before going any further.

One last step before we get to the Intermediate certificate – I suggest we start by installing a certificate on the NetScaler. You can create your own certificates on the NetScaler, but we would probably not want to do that if we are rolling out external communications to many people. The process outlined below assumes you are ordering a certificate from a third party authority (Digicert, Verisign, Thawte, etc).

First, you will need to create and submit a certificate request:
1. Create an RSA Key (Configuration → SSL → Traffic Management → Create RSA Key):

Netscaler 1

Netscaler 2

2. Create the Certificate Signing Request (Configuration → SSL → Traffic Management → Create CSR):

Netscaler 3

 

Netscaler 4

3. View and save your certificate request:

Netscaler 5

Netscaler 6

4. Submit your certificate request to a third party provider. (The process for this step varies per provider.)

Now you need to install your certificate. Some certificate providers offer methods to download the certificate you ordered and their Intermediate certificate all in one file. The availability and steps to perform that action vary per provider, so we are going to proceed as if the requested certificate and the Intermediate need to be installed separately:

1. Receive your requested certificate from the provider and start the install process (Configuration → SSL → Traffic Management → Create CSR):

Netscaler 7

 

2. Upload the certificate:

Netscaler 8Netscaler 9

3. Install the certificate received from the provider (Configuration → Traffic Management → SSL → Certificates → Install):

Netscaler 11Netscaler10

Now we have a third party certificate installed on our NetScaler. This alone will facilitate a connection to Storefront through the NetScaler for Windows and some other Citrix Receiver clients. However, not all clients will be satisfied with this. In the final segment of this blog, we will install a root certificate and the Intermediate certificate.

Please post your comments or questions below. You can also reach me directly by email.

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
craig.kalty@customsystems.com

 

 

 

©2015 Custom Systems Corporation

The Future of Smart Phones

What’s in the Future of Smart Phones?

Batteries that charge in seconds. Bendable phones. Curved screens. Smart phones have changes a lot in the last two years. But what are some of the new features you should be looking for in your next cell phone? Technology is always moving forward and in the case of smartphones, at an exceptional pace. Here’s a quick breakdown of the next generation smartphone tech that you should be looking for in your next upgrade.
 
The future smart phonesone that I think most people, especially teenagers, will be excited for is synthetic sapphire. The most fragile part of your phone is the screen and the camera cover, because they are both made out of glass. In most cases today, this glass is specially treated to withstand certain kinds of impacts and scratches. Most of us know that feeling you have when you drop your phone and pick it up only to see a spider web of cracks across the screen. Synthetic sapphire promises to be a significantly more scratch- and impact-resistant material than glass. Replacing the glass parts of our devices with this material should help to greatly reduce the chance of accidental damage and those unwanted shattered screens.
 

Another part of a cell phone that will be a nice improvement will be reversible connectors. If you are an iPhone owner you already know this joy. For the rest of you that still use mobile phones that have USB connectors, one is in the works that will also be reversible. No more fumbling in the dark to plug in your phone at night.
 
A feature that I am excited for and will also take care of those pesky chargers, is wireless charging. There are some devices out there now that are capable of this but it is not yet  a widely used concept. This promises to be the future of smart phone charging. Really, the future of charging anything. Although, what would be really nice is to just not have to ever charge something again. Imagine just always being able to pull a charge wirelessly from somewhere and never having to wait for something to charge again?
 
The future of smart phones is going to be exciting. There are many things that may become standard on new phones. Who knows, your next smart phone may have screen projection, holograms, flexible displays, or even be completely built into your watch with no more handsets. The only question is, what’s next?
 
As always, please post your comments and questions below or email me directly.

 

Ryan Ash

 

Ryan Ash
Network Consultant
ryan.ash@customsystems.com
©Custom Systems Corporation 2015

 

Do I really need an Intermediate Certificate?

So what is an intermediate certificate and why do you need one?

Let’s look specifically at its purpose in the NetScaler appliance. This provides us the opportunity to explain the installation of an intermediate certificate on the latest release of NetScaler firmware in the next blog.

Certificates protect our data. Working with certificates is an important, necessary evil. In the past, Web Developers and Network Engineers did the majority of work with certificates. It has become more common for administrators and other IT people to get involved with them. It is becoming more and more prevalent for us to use certificates to protect our internal/private communications as well as external/public communications. Certificates are a key component of Secure Sockets Layer (SSL) which is the primary form of security for the Internet. SSL is used to encrypt data (whether on the internet or internally). The purpose of the certificate is to provide the key to decrypt the data and authenticate that you are communicating with your intended target. Simply put, using a certificate makes sure the only ones who can decrypt the data are the two endpoints doing the communication.

So, where does an intermediate certificate come in to all of this? An intermediate certificate is kind of a proxy certificate. Authentication methods for SSL communications utilize the root certificate supplied by the organization that issued the requested certificate used to provide SSL for our service. The purpose of an intermediate certificate is to allow us to install the root certificate in a higher level of security and use a different certificate that is signed from the root certificate to front-end the root. That front-end certificate is the intermediate. Since that the intermediate was signed by the root certificate, it can act as a “middle-man” for the root and the service’s issued certificate. The term for this is the “Chain of Trust”. In essence, we are protecting the key to our data communications.
The need for an intermediate certificate will depend on what service you are offering from the NetScaler. It will actually depends on the requesters connecting to our service. For instance, the most common purpose of a NetScaler in a Citrix XenApp/XenDesktop environment is to be the secure access gateway (besides being a load balancer and all the other features). The access gateway service requires a certificate. You can acquire your certificate from whichever provider you are most comfortable.
A very common issue occurs when you do not have an intermediate certificate installed on the NetScaler. Windows PCs will connect without a problem, but Apple MACs, Apple devices (iPads and iPhones), and Android devices will not connect. You usually see an SSL error or something similar. The reason for this is the requester’s operating system. When released, operating systems usually include a batch of recognized root certificates from various providers. The operating systems on the devices that cannot connect most likely do not have the root certificate needed to validate the certificate your service is providing. In order to complete the “Chain of Trust” for these devices, we need to install an intermediate certificate on the NetScaler (or the server or device offering the SSL certificate). Once the intermediate certificate is installed on the NetScaler and linked to the proper certificates already on the NetScaler, all devices should be able to connect.
In the second part of this post, I’ll explain how to install certificates on a NetScaler. For those of you not interested in the NetScaler (whoever that one person is), read or read not. It’s your call.
Please post your comments or questions below. You can also reach me directly by email.

AZS-3

 

 

Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
craig.kalty@customsystems.com

 

 

 

©2015 Custom Systems Corporation