先把Cert 和Key upload到netsaler 上 到这个目录下面/nsconfig/ssl

SCP 是最好的方式

add ssl certKey gomk2016 -cert "/nsconfig/ssl/test.crt" -key "/nsconfig/ssl/test.key" -passcrypt ***********
这里的Cert是你当你发送CSR 到CA机构,然后CA机构发给你的。

这里的key就是你创建CSR 的时候用到的key. password 如果有的话你就加上去.


Abstract  

All virtual servers are to be configured as content switching virtual servers. As a result, SSL termination is configured on a content switching virtual server of the SSL protocol type. SSL Termination requires that the certificate, key, and chain be uploaded, installed, and linked together . Then the trio are bound to a virtual server. SSL ciphers are selected using an SSL profile which can be bound to the virtual server. By default the NetScaler binds ns_default_ssl_profile_frontend which the kick limits to only a few select strong ciphers.

Naming Standards  

For naming standards see the NetScaler Standards Page  

Uploading and installing the SSL Certificate, Key, and Chain.  

GUI  

There are multiple places to upload these files in the GUI depending on where you are in the virtual server creation process. This wiki outlines two places regardless of whether you are in the process of creating a new virtual server or not.

First select "Manage Certificates/Keys/CSRs" from the SSL menu under configuration.

SSL Termination on Citrix NetScaler_网络/安全  

At this point you can select upload and proceed to upload the files from your local box or go to action >> import and paste in a PEM of each.

SSL Termination on Citrix NetScaler_安全技术_02  

After the SSL certificate, key, and chain have been uploaded you have to install them. To start with navigate to Configuration >> Traffic

Management >> SSL >> Certificates >> Server Certificates and select "Install"

SSL Termination on Citrix NetScaler_网络/安全_03  

Select your certificate and key in the new window that opens. If you uploaded the certificate and key in the way described above, select "appliance" in the drop down menu from "choose file". Alternatively, you can upload the certificate and key from your local box by selecting "local" instead.

SSL Termination on Citrix NetScaler_安全技术_04  

Repeat the same process for the CA Certificate under Install CA Certificate.

SSL Termination on Citrix NetScaler_安全技术_05  

Finally, you need to link the server cert with the CA cert by navigating to the server certificate section, selecting the server certificate and then selecting "link" from the action menu.

SSL Termination on Citrix NetScaler_网络/安全_06  

Select the CA certificate from the drop down menu in the next window.

SSL Termination on Citrix NetScaler_安全技术_07  

CLI  

You can SCP the certificate, key, and chain directly to the NetScaler and then bind them via the CLI. Upload the files in PEM format to the NetScaler in the /nsconfig/ssl directory. The files will sync to the secondary device when the configuration is saved. Alternatively, you can use a text editor (or simply "cat >") to paste in the files directly into your terminal.

SCP from your local box  

scp <source file> gu=<SSO>@<TACACS>@<NSIP>@support.dfw1.gateway.example.com:/flash/nsconfig/ssl/<file name>

- sample -

scp nglab.example.corp.key gu=username@password@198.61.138.198@support.dfw1.gateway.example.com:/flash/nsconfig/ssl  

/nglab.example.corp.key

After the files are on the device, run the following to bind them into a certKey configuration object and link the chain.

Create binding on Netscaler  

add ssl certKey <certKey name> -cert <certfile> -key <keyfile> -expiryMonitor DISABLED

add ssl certKey <chain certKey name> -cert <chain certfile> -bundle YES -expiryMonitor DISABLED

link ssl certKey <certKey name> <chain certKey name>

- sample -

add ssl certKey wild.nglab.example.corp -cert nglab.example.corp.crt -key nglab.example.corp.key -expiryMonitor DISABLED

add ssl certKey Example_Internal_Root_CA -cert Example_Internal_Root_CA.crt -bundle YES -expiryMonitor DISABLED

link ssl certKey wild.nglab.example.corp Example_Internal_Root_CA

Invalid Private Key Error with Fix  

An error seen recently while installing the certificate key pair was quickly resolved using CTX134233.

SSL Termination on Citrix NetScaler_网络/安全_08SSL Termination on Citrix NetScaler_网络/安全_09Error: When installing the cert key pair, either via GUI or CLI, you receive the following message: Invalid private key, or PEM pass phrase required for this private key

SSL Termination on Citrix NetScaler_安全技术_10The issue is due to hidden space control characters within the key

SSL Termination on Citrix NetScaler_网络/安全_11SSL Termination on Citrix NetScaler_网络/安全_12SSL Termination on Citrix NetScaler_网络/安全_13It is an easy fix using the steps below: Log in to NetScaler via SSH Switch to Shell

SSL Termination on Citrix NetScaler_网络/安全_14Go to the /nsconfig/ssl directory

SSL Termination on Citrix NetScaler_安全技术_15SSL Termination on Citrix NetScaler_网络/安全_16Run the following openssl command to remove the hidden characters openssl rsa -in current_keyfilename -out NEW_keyfilename

SSL Termination on Citrix NetScaler_网络/安全_17Install the new certificate key pair

Binding the Certificates and Profiles  

GUI  

Select the Content Switching Virtual Server that you want to bind the SSL certificate to by going to Configuration >> Traffic Management >> Content Switching >> Virtual Servers and then selecting the virtual server and clicking on "edit".

SSL Termination on Citrix NetScaler_安全技术_18  

On the far right under "Advanced Settings" in the new window click on "Certificates" to add the menu option to the pane on the left. Then select "Server Certificate" and add your certificate. Click bind and then continue.

SSL Termination on Citrix NetScaler_安全技术_19  

CLI  

Binding the SSL certificate is a one line command in the CLI.

Bind the certKey to the VIP  

bind ssl vserver <cs vserver name> -certkeyName <certKey name>

- sample -

bind ssl vserver CS_198.61.138.199_443 -certkeyName wild.nglab.example.corp

Updating SSL Ciphers with an SSL profile  

SECURE SSL profile  

Starting with release 12.1, Citrix has included an SSL profile named "ns_default_ssl_profile_secure_frontend" that is designed to get an A+ rating on SSL labs. This can be used in lieu of the more permissive SSLPROF_RAX_DEFAULT profile if the customer requires the additional security or the A+ rating.

SECURE SSL Profile Profile  

LB-NETSCALER-Primary> show ssl profile ns_default_ssl_profile_secure_frontend

1) Name: ns_default_ssl_profile_secure_frontend (Front-

End)

SSLv3: DISABLED TLSv1.0: DISABLED TLSv1.1: DISABLED TLSv1.2: ENABLED TLSv1.3: DISABLED

Client Auth: DISABLED

Use only bound CA certificates: DISABLED Strict CA checks: NO

Session Reuse: ENABLED Timeout: 120 seconds

DH: DISABLED

DH Private-Key Exponent Size Limit: DISABLED Ephemeral

RSA: ENABLED Refresh Count: 0

Deny SSL Renegotiation NONSECURE Non FIPS Ciphers: DISABLED

Cipher Redirect: DISABLED SSL Redirect: DISABLED Send Close-Notify: YES

Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED

DHE Key Exchange With PSK: NO

Tickets Per Authentication Context: 1

Push Encryption Trigger: Always

PUSH encryption trigger timeout: 1 ms

SNI: DISABLED

OCSP Stapling: DISABLED

Strict Host Header check for SNI enabled SSL

sessions: NO

Push flag: 0x0 (Auto)

SSL quantum size: 8 kB Encryption trigger timeout 100 mS Encryption trigger packet count: 45

Subject/Issuer Name Insertion Format: Unicode

SSL Interception: DISABLED

SSL Interception OCSP Check: ENABLED

SSL Interception End to End Renegotiation: ENABLED

SSL Interception Maximum Reuse Sessions per Server: 10

Session Ticket: DISABLED HSTS: ENABLED

HSTS IncludeSubDomains: YES HSTS Max-Age: 15552000

ECC Curve: P_256, P_384, P_224, P_521

1) Cipher Name: SECURE Priority :2

Description: Predefined Cipher Alias

Done

GUI  

First you need to create an SSL profile with the desired cipher list. Navigate to Configuration >> System >> Profiles >> SSL Profile and click

"Add"

SSL Termination on Citrix NetScaler_安全技术_20  

In the new window add your desired name and select any options that you want. SSL protocols and SNI settings are toward the

bottom. Then click "OK" at the bottom. Halfway down the next window you will see SSL ciphers. Click on the pencil "edit" button on the right.

SSL Termination on Citrix NetScaler_网络/安全_21  

Click on the "add" button with the green cross that pops up and you will be presented with a window that will allow you to add whatever

ciphers you need. You can add an entire group or just a few specific ciphers. The Example kick will come with a group for recommended defaults. Add your ciphers to the configured list on the right and remove any you do not want. Then click "OK".

SSL Termination on Citrix NetScaler_网络/安全_22  

Apply the SSL profile by going to Configuration >> Traffic Management >> Content Switching >> Virtual Servers and then selecting your virtual server and clicking "edit".

SSL Termination on Citrix NetScaler_安全技术_23  

On the edit screen click the pencil "edit" button to the right of the SSL profile section and then select your new profile via the drop down box. Click "OK" and then "Done".

SSL Termination on Citrix NetScaler_网络/安全_24  

CLI  

Creating SSL profiles via the CLI may not be feasible in all situations as you will need to know exactly which cipher strings or groups you want to add as well as any other options that you want to enable or disable.

Create SSL Profile  

add ssl profile <Profile Name> <add other parameters as required>

bind ssl profile   <Profile Name> -cipherName <cipher string or group> -cipherPriority <#>

- sample -

add ssl profile SSL_TEST_PROFILE -se***euse ENABLED -sessTimeout 120 bind ssl profile SSL_TEST_PROFILE -cipherName HIGH -cipherPriority 1

bind ssl profile SSL_TEST_PROFILE -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 2

bind ssl profile SSL_TEST_PROFILE -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 3

Adding the SSL profile to the VIP is a one line command.

Bind the SSL profile to the Virtual Server  

set ssl vserver <virtual server> -sslProfile <SSL profile>

- sample -

set ssl vserver CS_198.61.138.199_443 -sslProfile SSL_TEST_PROFILE

Reference Links  

ssl certKey:  

https://developer-docs.citrix.com/projects/netscaler-command-reference/en/12.0/ssl/ssl-certkey/ssl-certkey/  

Secure Profile:  

https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-profiles/secure-front-end-profile.html  

Invalid Private Key Error:  

https://support.citrix.com/article/CTX134233