Thursday, January 23, 2014

Updating SSL Certificate on Netscaler VPX Resource Already Exists Error


Updating or Replacing an SSL Certificate on Netscaler VPX 10



Resource Already Exists error Citrix Netscaler


When replacing or updating an SSL certificate on a Netscaler VPX version 10 appliance you get a Resource Already Exists error message. even when you try to add the certificate as a new certificate bypassing the update option in the Netscaler the message persists.

This can be caused by the same serial number or thumbprint on the re-issued certificate. This scenario is rare and most often occurs if there are two or more Netscalers in a load balance fail over configuration.
Oddly enough , this error can also occur if there is a problem with the SSL certificate itself. The cert can be from any CA and although it seemingly looks okay, closer inspection will reveal the certificate was generated with SHA2 encryption algorithm.  Have the certificate re-issued using SHA1. The Netscaler version 10 does not support SHA2 for SSL certs on virtual servers yet. Most likely, Netscaler 9 also does not support SHA1.
Contact your CA certificate provider and ask them to re-issue the certificate but generate it using SHA1 .







 

1 comment:

gtek01 said...

Unfortunately remote support software does not have direct access to Citrix Netscaler. Although the system is Linux based and extremely reliable, it is a closed system which disables the capability or access required to install or execute other support tools on it. Remote support software does not have to be left out of the equation however. If SSL is considered a remote support software tool then it can be used to attain remote access at a command prompt level to the system. The connection to do so is more secure from a workstation or server that is on the same network but the access can be from the web. Web based access however will require some additional firewall and access rules modifications. These can be done on the edge router or firewall. Another method is to use remote support software for remote access and connectivity into the Netscaler to modify or update settings is again to use a workstation or server located on the same network. The connection is made with remote c control software from the web. Web based access will require access rules to be modified similar to the requirement for direct SLL connections for remote support. Once on the server or desktop work station on the network, a connection using SSL or http, https can be used to access the device and apply updates including certificate updates.