Every now and then it’s necessary to actually look into a SSL stream between client and NetScaler to inspect what’s actually happening. I struggled with this topic quite a bit, and documentation (eg. From Citrix) is not always complete. I will not pretend this document covers all, but I had some good successes decrypting traces with the following procedure. If you have any additions please let me know, and I will be happy to add them to this post.
Posts Categorized: PKI (Certificates)
I replaced my internal CA and needed to replace all certificates, including the machine certs on my server core machines. I had to replace the domain controller certs, and some machine certs.
I had to create a SAN cert. If you google you will find a lot of articles telling you to modify your openssl.cfg . You can also do it with a command. I put some special characters in the command because they need to be escaped. You can see below how:
req -newkey rsa:2048 -keyout new_private.key -sha256 -subj "/C=NL/ST=Noord-Holland/L=\'s\-Hertogenbosch/O=Your Organization/OU=I\&CT/CN=common_name.nl/subjectAltName=DNS.1=alternate_name" -out new_certificate_request.csr
You can specify more alternate names by adding more entries:
Momentarily I’m working a lot with NetScaler and SHA256 certificates. I noticed that with the change to SHA256 certs the NetScaler has some difficulties importing. The error you get is: Invalid private key, or PEM pass phrase required for this private key.
At this moment I’m using this command a lot so I thought it would come in handy to write a seperate article about it (easier to find). The command you use to convert a private key to PEM format is……..
In this tutorial I’ll guide you in securing your management page. The goal of the tut. is making sure the NetScaler Management Page is SSL encrypted and AD Integrated. Meaning you’re able to login with your Active Directory admin account. Let’s go!
This tutorial is about configuring 2-factor authentication on your NetScaler based on user certificates.
At the moment I’m preparing for my CCE exam and one of the things I like to do is perform several setups. For this tutorial I implemented a XenDesktop & XenApp 7.5 server. A StoreFront server and a virtual NetScaler with a developer license. I already have in place a CA for my self signed certs, the domain joined machines automatically trust the Root CA cert and a Domain Controller is in place.
The goal of the tutorial is to get the StoreFront websites running on SSL. The XML traffic should be encrypted and the NetScaler has to connect to the StoreFront servers through SSL. Let’s start!
An external party switched from certificate supplier leaving some people within our organization with a little headache. There SMS service wasn’t working anymore and they couldn’t figure out what the issue was. In the logfile they found the following error (I’ll include the whole log for indexing): unable to find valid certification path to requested target.
Tutorial: Setting up SSTP on Windows Server 2012 (part 1) – prereqs
In this tutorial I’ll write about how to setup SSTP on Windows Server 2012 in a limited lab environment. It’s not a tough job, although you need some basic RRAS, DNS and Certificate knowledge. Before we start the prereqs: In my lab I use a domain controller which also is my enterprise root CA. My RRAS server is also my Online Responder. I’m going to assume you already installed these roles.