Do I really need an Intermediate Certificate?
So what is an intermediate certificate and why do you need one?
Let’s look specifically at its purpose in the NetScaler appliance. This provides us the opportunity to explain the installation of an intermediate certificate on the latest release of NetScaler firmware in the next blog.
Certificates protect our data. Working with certificates is an important, necessary evil. In the past, Web Developers and Network Engineers did the majority of work with certificates. It has become more common for administrators and other IT people to get involved with them. It is becoming more and more prevalent for us to use certificates to protect our internal/private communications as well as external/public communications. Certificates are a key component of Secure Sockets Layer (SSL) which is the primary form of security for the Internet. SSL is used to encrypt data (whether on the internet or internally). The purpose of the certificate is to provide the key to decrypt the data and authenticate that you are communicating with your intended target. Simply put, using a certificate makes sure the only ones who can decrypt the data are the two endpoints doing the communication.
So, where does an intermediate certificate come in to all of this? An intermediate certificate is kind of a proxy certificate. Authentication methods for SSL communications utilize the root certificate supplied by the organization that issued the requested certificate used to provide SSL for our service. The purpose of an intermediate certificate is to allow us to install the root certificate in a higher level of security and use a different certificate that is signed from the root certificate to front-end the root. That front-end certificate is the intermediate. Since that the intermediate was signed by the root certificate, it can act as a “middle-man” for the root and the service’s issued certificate. The term for this is the “Chain of Trust”. In essence, we are protecting the key to our data communications.
The need for an intermediate certificate will depend on what service you are offering from the NetScaler. It will actually depends on the requesters connecting to our service. For instance, the most common purpose of a NetScaler in a Citrix XenApp/XenDesktop environment is to be the secure access gateway (besides being a load balancer and all the other features). The access gateway service requires a certificate. You can acquire your certificate from whichever provider you are most comfortable.
A very common issue occurs when you do not have an intermediate certificate installed on the NetScaler. Windows PCs will connect without a problem, but Apple MACs, Apple devices (iPads and iPhones), and Android devices will not connect. You usually see an SSL error or something similar. The reason for this is the requester’s operating system. When released, operating systems usually include a batch of recognized root certificates from various providers. The operating systems on the devices that cannot connect most likely do not have the root certificate needed to validate the certificate your service is providing. In order to complete the “Chain of Trust” for these devices, we need to install an intermediate certificate on the NetScaler (or the server or device offering the SSL certificate). Once the intermediate certificate is installed on the NetScaler and linked to the proper certificates already on the NetScaler, all devices should be able to connect.
In the second part of this post, I’ll explain how to install certificates on a NetScaler. For those of you not interested in the NetScaler (whoever that one person is), read or read not. It’s your call.
Please post your comments or questions below. You can also reach me directly by email.
Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)|
Sr. Network Consultant
©2015 Custom Systems Corporation