Install, link, and update certificates 编辑

To install a certificate, see Add or update a certificate-key pair.

Link certificates

Many server certificates are signed by multiple hierarchical Certificate Authorities (CA), which means that the certificates form a chain like the following:

Certificate chain

Sometimes, the Intermediate CA is split into a primary and secondary intermediate CA certificate. Then the certificates form a chain like the following:

Certificate chain 2

Client machines usually contain the root CA certificate in their local certificate store, but not one or more intermediate CA certificates. The ADC appliance must send one or more intermediate CA certificates to the clients.

Note: The appliance must not send the root CA certificate to the client. The Public Key Infrastructure (PKI) trust relationship model requires root CA certificates to be installed on clients through an out-of-band method. For example, the certificates are included with the operating system or web browser. The client ignores a root CA certificate sent by the appliance.

Sometimes, an intermediate CA that standard web browsers do not recognize as a trusted CA, issues the server certificate. In this case, one or more CA certificates must be sent to the client with the server’s own certificate. Otherwise, the browser terminates the SSL session because it fails to authenticate the server certificate.

Intermediate certificates

Video link to How do I link an intermediate authority certificate.

Refer to the following sections to add the server and intermediate certificates:

  • Manual certificate linking
  • Automated certificate linking
  • Create a chain of certificates

Manual certificate linking

Note: This feature is not supported on the Citrix ADC FIPS platform and in a cluster setup.

Instead of adding and linking individual certificates, you can now group a server certificate and up to nine intermediate certificates in a single file. You can specify the file’s name when adding a certificate-key pair. Before you do so, make sure that the following prerequisites are met.

  • The certificates in the file are in the following order:
    • Server certificate (must be the first certificate in the file)
    • Optionally, a server key
    • Intermediate certificate 1 (ic1)
    • Intermediate certificate 2 (ic2)
    • Intermediate certificate 3 (ic3), and so on Note: Intermediate certificate files are created for each intermediate certificate with the name “<certificatebundlename>.pem_ic< n>” where n is between 1 and 9. For example, bundle.pem_ic1, where bundle is the name of the certificate set and ic1 is the first intermediate certificate in the set.
  • Bundle option is selected.
  • No more than nine intermediate certificates are present in the file.

The file is parsed and the server certificate, intermediate certificates, and server key (if present) are identified. First, the server certificate and key are added. Then, the intermediate certificates are added, in the order in which they were added to the file, and linked accordingly.

An error is reported if any of the following conditions exist:

  • A certificate file for one of the intermediate certificates exists on the appliance.
  • The key is placed before the server certificate in the file.
  • An intermediate certificate is placed before the server certificate.
  • Intermediate certificates are not in placed in the file in the same order as they are created.
  • No certificates are present in the file.
  • A certificate is not in the proper PEM format.
  • The number of intermediate certificates in the file exceeds nine.

Add a certificate set by using the CLI

At the command prompt, type the following commands to create a certificate set and verify the configuration:

add ssl certKey <certkeyName> -cert <string> -key <string> -bundle (YES | NO)

show ssl

show ssl certlink
<!--NeedCopy-->

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:48 次

字数:4990

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文