Supportability may be a new concept to some, it’s not new to us in Technical Support, it’s in our DNA! We work on high impact and pervasive issues in Citrix product suites and partner with Product Management, Engineering, Documentation and Knowledge teams among others at Citrix to drive improvements. The end goal is to make life easier for you, our customer. In this post, I am going to highlight one area where a Supportability focus has brought positive change to our products.

In Networking, there’s a heightened focus on security so every customer is going to want to leverage SSL/TLS at some stage. Certificate installation on NetScaler or NetScaler Gateway products has mandated a certain level of requisite knowledge around formats, private keys and encoding types. As not everyone is a subject matter expert in this arena we figured that we could offload some of that knowledge requirement and make the NetScaler more intelligent on Certificate installation.

Big shout to PM Pankaj who’s a fountain of knowledge on SSL and TLS and really drove this project. Let’s take a look at the enhancements delivered in NetScaler 11.1 for SSL Certificate Management. Before we do that, a before and after comparison with 11.0 will help gain some insights on what has changed. Here is the Install Certificate screen available in the UI from Traffic Management > SSL > Certificates > Install from 11.0.

SSL Certificate Installation on NetScaler 11.1
SSL Certificate Installation on NetScaler 11.0

Straight off, we can see a number of areas that could be improved upon. Customers require a bit of knowledge coming here, so is there any way we could make this easier? The improvements in NetScaler 11.1 can be summarised as:

  • Simplified Certificate Installation
  • Improved Certificate Expiry Notification configuration
  • Dynamic detection of Certificate format – DER/PEM/PFX
  • Dynamic detection of password requirement for Certificate or Key
  • Dynamic presentation of password field as required
  • SSL Certificate Management Improvements
  • Workflow Diagrams

Simplified Certificate Installation

NetScaler 11.1 Install Certificate dialogue
NetScaler 11.1 Install Certificate dialogue

First up, a lot less fields. The goal here is to improve usability by dynamically showing fields where necessary. It is not always a requirement that a Certificate needs a password, think Certificate Authority Certificate here.

Improved Certificate Expiry Notification configuration

Secondly, expiry notification is a good default setting to have however we would like a guided experience for customers who have not completed the necessary SNMP trap configuration needed to receive the notifications. The next screens show off the SNMP configuration which is possible without leaving the initial Install Certificate screen.

NetScaler 11.1 Certificate Installation SNMP Trap configuration
NetScaler 11.1 Certificate Installation SNMP Trap configuration
NetScaler 11.1 Certificate Installation SNMP Trap configuration

Dynamic detection of Certificate format

A common use case that gave customers no end of headaches is Certificates in PFX/PKCS12 format. These types of Certificates find popular usage as Client Certificates or sometimes used in export bundle of Certificate with Private Key from Windows servers. In previous versions of NetScaler import of PFX could involve using the Wizard driven import routine or even breaking out the CLI shell to leverage OpenSSL commands to perform the conversion (once the actual PFX file had been uploaded to the NetScaler filesystem first!). In NetScaler 11.1 the feature will handle the PFX import and conversion automatically.

Other improvements in the dynamic detection extends to CA Certificates, multiple Certificates in a bundle file (think PEM format with Server, Intermediate and Root CA Certificates). For bundle scenarios, the Certificates are broken out automatically into individual Certificates on the NetScaler filesystem.

Dynamic detection of password requirement for Certificate or Key

NetScaler 11.1 Dynamic password entry field
NetScaler 11.1 Dynamic password entry field

PFX format certificates mandate a password field, which is shown here dynamically as needed.

SSL Certificate Management Improvements

To aid with Management of SSL Certificates we’ve added some new nodes in the NetScaler Configuration UI to segregate Certificates into different buckets:

  • Server Certificates
  • Client Certificates
  • CA Certificates

Certificates added via Install Certificate will be automatically “bucket-ized” into the appropriate node.

NetScaler 11.1 SSL Certificate UI tree
NetScaler 11.1 SSL Certificate UI tree

Also, we’ve added a location Traffic Management > SSL > SSL Files where you can manage the Private Keys, Certificate Signing Request (CSR) files and SSL Certificate files.

NetScaler 11.1 SSL Files
NetScaler 11.1 SSL Files

Workflow Diagrams

Some diagrams were added to help customers understand the place of NetScaler in in the overall flow of certificate creation. Hopefully both of these speak for themselves!

ns111certificateworkflowselfsigned
NetScaler 11.1 Generating a self-signed test certificate flow image
ns111certificateworkflowca
NetScaler 11.1 Obtaining a certificate from a Trusted CA flow image

Final Thoughts

The Supportability team works on a range of Citrix products to drive customer-focussed core enhancements. This is but one of many projects. We look forward to your feedback and feel free to share the one thing that constantly bugs you about a particular product. Perhaps it could be something we’re already working on improving or have teed up for a future project.

We’re glad the cat’s out of the bag and you can get more productive using SSL Certificates on NetScaler.

Summit banner