Escolar Documentos
Profissional Documentos
Cultura Documentos
Overview
After completing this module, you will be able to:
Identify requirements to secure communications with SSL certificates.
Create and upload an SSL certificate.
Bind an SSL certificate key.
Identify common virtual SSL server deployments.
Configure advanced SSL options.
Create appropriate servers and virtual servers.
SSL
SSL is a protocol used to secure HTTP, TCP, and other types of traffic; it is the
industry standard security technology for establishing encrypted links between a
web server and a browser.
SSL/TLS encrypts the data using a certificate that has unique credentials
identifying the owner and authenticating the identity of the certificate owner.
Offload Performance
The NetScaler system supports extremely high-performance SSL encryption and
session creation.
For example, the NetScaler MPX platforms support:
As many as 75 Gbps of bulk encryption
As many as 560,000 SSL handshakes every second (2048 bit keys)
Digital Certificates
Generating certificate requests and applying certificates can sometimes be a
complex process depending on the CA that you use. Citrix recommends to always
use a common CA such as Thawte, VeriSign, or Network Solutions. These CAs
are usually trusted by all Windows and Macintosh operating systems and
therefore require less administrative overhead.
SSL Administration
The certificate formats that NetScaler supports are PEM and DER. An SSL
certificate and key can be obtained for use on the NetScaler system using one of
the following methods:
Request certificate and key from a certificate authority (CA).
Use an existing SSL certificate and key.
Generate a new SSL certificate and key using the self-signing tools on the NetScaler system.
SSL Keys
Keys are generated in the following situations:
Before generating and submitting a certificate signing request to a certificate
authority
Before generating a self-signed certificate for testing purposes
Command-line syntax:
create ssl <certReq> [-keyFile |-fipsKeyName ] [-keyform (DER | PEM)
{-PEMPassPhrase}] -countryName -stateName -organizationName
10
SSL Certificates
The NetScaler certificate tools can be used to generate the following certificate
types:
Root CA certificates
Intermediate certificates
Server certificates
Client certificates
11
Certificate Generation
Generate a certificate on the NetScaler system by specifying the certificate format,
certificate type, CA certificate file format, CA key file name, CA key file format, CA
key encryption, and CA serial number file.
12
13
Certificate Updates
You may need to update or replace a certificate on the NetScaler system for a
variety of reasons:
Certificate is expired or expiring soon
Default certificate needs to be replaced with trusted CA certificate
File name or private key have changed or have been compromised
14
15
16
17
18
Deployment Scenarios
The SSL requirements for a particular environment depend on how SSL will be
deployed
The following scenarios are the most common:
Front-end SSL with back-end HTTP
Front-end SSL with back-end SSL
Front-end TCP over SSL with back-end TCP
19
20
21
22
SSL Bridge
The SSL_BRIDGE functionality allows all secure traffic to be bridged
transparently and directly to the back-end web server
The system does not terminate or offload this traffic
The web server must handle all SSL-related processing
23
24
25
26