How to Install PFX Certificate on NetScaler

OpenSSL From time to time I have to create a new virtual server on my NetScaler box, along with a new SSL certificate. Recent NetScaler versions provide you an easy option to create a test certificate with one click, but at some point you will need a real certificate there. In may cases the certificate you have is in FPX (aka PKCS#12) format, while NetScaler requires certificate and key pair in PEM or DES format. Solving this puzzle may not be so easy.

Fortunately, NetScaler itself comes with embedded OpenSSL support, and the following steps will help you handle certificate installation task even without deep OpenSSL knowledge.

root@ns1#
root@ns1# pwd
/nsconfig/ssl
root@ns1# ls my-test*
my-test.pfx
root@ns1# openssl pkcs12 -nokeys -in my-test.pfx -out my-test.cert
Enter Import Password:
MAC verified OK
root@ns1# openssl pkcs12 -nocerts -nodes -in my-test.pfx -out my-test.key
Enter Import Password:
MAC verified OK
root@ns1# ls my-test*
my-test.cert    my-test.key     my-test.pfx
root@ns1#
root@ns1#

Pay attention to the highlighted lines above – those are the commands that create certificate and keys files respectively. Continue reading “How to Install PFX Certificate on NetScaler”

Citrix Access Gateway: Standard vs Enterprise

During the last month I have several “chances” to explain people that Citrix Access Gateway Standard and Citrix Access Gateway Enterprise are absolutely different products, and the same is true about their virtual editions (aka VPX). I feel  that it is the time to write it down once and share the link from now on…

There are two Citrix products named Access Gateway – Citrix Access Gateway Standard/Advanced Edition (aka CAG) and Access Gateway Enterprise Edition (aka AGEE). Both share similar feature set, hence the common name, but those are different products. CAG is original Citrix product, with latest versions 4.6 and 5.0 (at the moment of writing). After Citrix acquired NetScaler in 2005, they implemented CAG functionality on the NetScaler appliance and named it “Enterprise Edition”. That’s why AGEE versions go after NetScaler version numbers – it is the same appliance, with latest version 9.3 (again, at the moment of writing).

And what is VPX? Access Gateway VPX is a virtual edition of CAG. NetScaler VPX is a virtual edition of NetScaler (that is – AGEE).

UPD (Sep 1): You can read more about the history of this separation here.

Troubleshooting NetScaler/AGEE Authentication

Surprisingly, the best tool for troubleshooting NetScaler authentication process in not a log file, located somewhere in the depths of log directory. Instead, they have a named pipe “aaad.debug” in the /tmp directory. This is not a regular file, so you cannot download it or open in the editor. The correct way to work with named pipe will be to cat its “content” – either directly to the console or to some file.

root@...# cd /tmp
root@...# cat aaad.debug

The following great (and simple!) article in the Citrix KB explains it in-depth: “How to Troubleshoot Authentication with Aaad.debug”.

Upgrading NetScaler VPX

Last week I had to upgrade the NetScaler VPX box in our lab from version 9.2.something (one it was initially installed with) to the latest available (9.3.something at this moment). Quick search revealed a topic from Citrix Forums (which was not really helpful at that moment) and a KB article aiming to solve specific upgrade problem – which convinced me that it is at least doable. The lack of the information about the process usually means one of two things – either nobody needs that (hard to believe in this case) or it is too obvious to post about it. Actually, the upgrade process is really simple. Yet, this post may save you several minutes… Continue reading “Upgrading NetScaler VPX”