How to Install PFX Certificate on NetScaler

OpenSSL From time to time I have to create a new virtual server on my NetScaler box, along with a new SSL certificate. Recent NetScaler versions provide you an easy option to create a test certificate with one click, but at some point you will need a real certificate there. In may cases the certificate you have is in FPX (aka PKCS#12) format, while NetScaler requires certificate and key pair in PEM or DES format. Solving this puzzle may not be so easy.

Fortunately, NetScaler itself comes with embedded OpenSSL support, and the following steps will help you handle certificate installation task even without deep OpenSSL knowledge.

root@ns1#
root@ns1# pwd
/nsconfig/ssl
root@ns1# ls my-test*
my-test.pfx
root@ns1# openssl pkcs12 -nokeys -in my-test.pfx -out my-test.cert
Enter Import Password:
MAC verified OK
root@ns1# openssl pkcs12 -nocerts -nodes -in my-test.pfx -out my-test.key
Enter Import Password:
MAC verified OK
root@ns1# ls my-test*
my-test.cert    my-test.key     my-test.pfx
root@ns1#
root@ns1#

Pay attention to the highlighted lines above – those are the commands that create certificate and keys files respectively. Continue reading “How to Install PFX Certificate on NetScaler”

How to speed up SSL handshake in isolated environments

Opening an HTTPS URL in the environment that is not connected to the internet may take time. Fortunately, there is a way to speed up this process on the client side. It appears that Windows tries to retrieve fresh CRL (certificate revocation list) from own and third party servers. Obviously, this attempt times out when the client is not connected to the internet. There is no way to disable CRL retrieval completely, but it is possible to reduce retrieval timeout to the minimum allowed. The system will still attempt to contact CRL servers, but it will take less time to go through the whole list of servers.

In addition to SSL handshake, the settings above will speed up any process that involves certificate validation – for example, validation of code signing certificates.

So:

  1. Open Local Group Policy Editor (for example, search for “Edit Group Policy” in the Start Menu)
  2. Go down the tree from “Computer Configuration” => “Windows Settings” => “Security Settings” => “Public Key Policies”
  3. On the right side, double-click on “Certificate Path Validation Settings”
  4. Go to “Network Retrieval” tab
  5. Select “Define these policy settings” checkbox
  6. Change both timeout values under “Default retrieval timeout settings” to 1 second
  7. Click “OK”

For detailed instructions for clients that are part of Active Directory Domain, visit this TechNet topic (although it speaks about increasing timeout and decreasing it).

Retrieval Timeout Settings

The instructions above apply to Windows clients, but the same technique may be applicable for the other operating systems.

Fixing WebSEAL that suddenly stopped responding to HTTPS

Did it happen to you that your lab WebSEAL instance suddenly stopped working? Everything seems to be up and running, but any regular request to port 444 results in “Internet Explorer cannot display the webpage”? Well, it happened to me several days ago. Testing the same URL in Google Chrome revealed the possible cause – “ERR_SSL_PROTOCOL_ERROR”. Additional test revealed that HTTP traffic on port 81 (which is typically not used) is served correctly.

I’ll save you from reading the frustrating troubleshooting details. The bottom line is simple – the self-signed SSL certificate supplied with IBM WebSEAL expired on August 27, 2011. This is the certificate that is used by default in many labs, including mine. The fix is really simple – if you know where to look and what to do.  Continue reading “Fixing WebSEAL that suddenly stopped responding to HTTPS”