Known Issues

Issues may occur after restarting when adding a certificate / key file with the same name as an existing certificate / key file to Load balancer (NetScaler VPX)

(:Last updated)

Summary

In Load balancer (NetScaler VPX) menu, if you add a certificate / key file with the same name as an existing certificate / key file, the original certificate / key file will be overwritten without warning. Since the original certificate / key file can no longer be used, the following Issues may occur after restarting due to following problems.

The manufacturer’s public information regarding this issue is as follows.
URL: https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-certificates.html
* Please refer to “Important” at the bottom of the page

 

Problem

1. The certificate / key file in use can be overwritten, and the old certificate / key data will continue to be used without being updated until it restarts.
2. It is possible to duplicate existing and new certificate / key settings while overwriting the certificate / key file in use.

Cases problem 1,2 occurs

When registering the certificate as below(https://ecl.ntt.com/documents/tutorials/rsts/LoadBalancer/loadbalancing/ssl_offload_and_acceleration1.html)
-Set a “Certificate-Key Pair Name” that does not exist
-Specify a certificate file / key file with the same name as the file registered with the existing certificate / key setting but with different data.

Issues

1. In the state of Problem 1, the certificate / key file read before and after the restart may be different. This is because the new certificate / key file will not be read until it is restarted.
2. By restarting in the state of problem 2, one of the existing and new certificate / key settings set in problem 2 may be lost, and the related certificate settings may also be lost.

 

Affected version

12.1-52.15
12.1-55.18
12.0-53.13
11.0-67.12
10.5-57.7

 

Solution

In the case of registering a new certificate

Please do not register the certificate file / key file with the same name as the certificate that already exists in Load Balancer (NetScaler VPX). Register the certificate file / key file with another name. Due to the specifications, it is not possible to register a certificate file / key file with the same name as the certificate that already exists in Load Balancer (NetScaler VPX).

In the case of updating an existing certificate

Follow the steps below to update.

“How to update procedure of SSL certificates of LoadBalancer?”

How to check the setting status that may cause this issue

Follow the procedure below.

In the case of using CLI

1. Execute the following command
> Show run

2. This issue may occur if the file names set in the -cert and -key on the “add ssl certKey” line are duplicated.
Example)
Add ssl certkey cert001 -cert a.cert
Add ssl certkey cert002 -cert a.cert

3.If you see duplicate settings in step 2, save the current settings and delete all the settings related to the affected certificate (Virtual Server certificate settings and Link with intermediate certificate).
Please set again using the certificate file / key file of another name.

Reference : https://ecl.ntt.com/en/documents/tutorials/rsts/LoadBalancer/loadbalancing/ssl_offload_and_acceleration3.html

https://ecl.ntt.com/en/documents/tutorials/rsts/LoadBalancer/loadbalancing/ssl_offload_and_acceleration2.html

In the case of using GUI

1. Please transit as follows
System> Diagnostics> Utilities> Command Line Interface
2. After that, please follow the same procedures (1-3) as when using the CLI.