Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed
banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX213342 {{tooltipText}}

How to Handle Certificate Expiry on Citrix ADC

Article | How To / General Question Configuration Security Vulnerability | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
download Why can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • Citrix ADC

Objective

This article describes how to handle certificate expiry on Citrix ADC.

Instructions

An “Expiry Monitor” configured on the ADC appliance creates entries in the appliance's syslog and nsaudit logs at midnight when a certificate configured on the appliance is due to expire. And the expiry event only log Once. 

There are two ways to monitor certificate expiry.
1. Using “Notify When Expires” option in ADC

Step1: Traffic Management -> SSL -> Certificates ->Select the certificate and click Update

User-added image
Step2: Select Notify When Expires, and specify a notification period (number of days) and click ok.

User-added image

Selecting “Notify when Expires” option enables the “Expiry Monitor” which is associated with SSL- Cert-Expiry SNMP trap. Enabling this option on the NetScaler appliance creates entries in the appliance's syslog and nsaudit logs when a certificate configured on the appliance is due to expire. By default the location of these logs is /var/log/ns.log.

Example:
root@ns# grep sslCertificateExpiry /var/log/ns.log
Jan 17 00:00:41 <local0.info> 192.168.180.139 01/16/2018:16:00:41 GMT ns 0-PPE-0 : default SNMP TRAP_SENT 259058 0 :  sslCertificateExpiry (sslCertKeyName.kgs = "kgs", sslDaysToExpire.kgs = 100, nsPartitionName = default)


To enable an expiry monitor for a certificate by using the command line interface At the command prompt, type

  • set ssl certKey <certkeyName> [-expiryMonitor ENABLED] [- notificationPeriod <positive_integer>]
  • sh ssl certKey
Example:
User-added image

Tips, if you just would like to test sslCertificateExpiry function by changing date, please remember to reboot device by ">reboot - warm", afterwards don't reboot anymore and waiting for snmp trap sent at next expiry day 00:00 .

 

 

2. Using “Notification Settings” option on ADM

For setting up notification using ADM follow the steps mentioned here .
 

Additional Resources

Create Certificate Signing Request: CTX211887
For instructions on how to updates an existing SSL certificate click here

Background

An SSL certificate is valid for a specific period of time. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. SSL Certificates are important to a server to maintain the confidentiality of data and also company’s reputation and credibility can be damaged when users encounter a website with an expired SSL certificate. Thus it becomes critical to monitor the expiry of certificates and keep them up to date.

Page feedback
Name is required
Cancel Submit

Featured Products

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}

View support numbers
Share this page