Skip to main content

Configure a SecureAuth CRL File for NetScaler

Introduction

This document explains how to configure SecureAuth CRLs for NetScaler.

Configuration steps

1. Review this Citrix document about configuring CRLs on a NetScaler appliance: http://support.citrix.com/article/CTX127218

2. Under the SSL section find information about configuring CRLs.

3. Configure the CRL using the HTTP method.

4. The CRL distribution point is required to complete the configuration.

a. The location of the CRL can be found in the X.509 certificate the user receives when enrolling with SecureAuth.

b. On the details tab, about two-thirds down, you will find the distribution point listed.

5. Configure the SSL CRL.

Note

NetScaler CLI Configuration Information

Follow this link for information on the CLI configuration of NetScaler for CLI support: https://docs.google.com/a/multifa.com/viewer?url=http://support.citrix.com/servlet/KbServlet/download/17535-102-665510/NS_ICG_V1.pdf

The code below includes the 'show crl' and 'set crl' commands that confirm the CRL has been properly installed:

  • The command 'show crl' lets you see the configured CRL.

  • The success and time of the update is in the message.

  • Force the CRL to update using the '-interval now' flag, and you can see in the next 'show crl' that the CRL was updated.

> show crl
1) Name: SecureAuth-Sierra-der Status: Valid, Days to expiration: 5
CRL Path: /var/netscaler/ssl/MFC-Sierra-DER
Format: DER CAcert: MFC-Sierra
Refresh: ENABLED Method: HTTP
URL: http://x509.multifactortrust3.com/CertInfo/MFCIssuer3Sierra.banner.multifactortrust3.com.crl
Refresh Interval: DAILY Last Update: Successful, Date: Thu Oct 11 12:58:24 2012
Done
> set crl SecureAuth-Sierra-der -interval now
Done
> show crl

1) Name: SecureAuth-Sierra-der Status: Valid, Days to expiration: 5
CRL Path: /var/netscaler/ssl/MFC-Sierra-DER
Format: DER CAcert: MFC-Sierra
Refresh: ENABLED Method: HTTP
URL: http://x509.multifactortrust3.com/CertInfo/MFCIssuer3Sierra.banner.multifactortrust3.com.crl
Refresh Interval: DAILY Last Update: Successful, Date: Thu Oct 11 14:40:10 2012
Done

Note

These steps set up the CRL for CA servers, but do not cause the Access Gateway to enforce CRLs. To enable that feature, go to the virtual server and designate that CA certificates must use a CRL check.