Install your SSL certificate

You can install the SSL Certificate that you created in the previous step-by-step, Deploying and Configuring the IBM© Hardware Security Module (HSM) with Citrix Netscaler VPX for your Citrix Netscaler VPX.

To do so, perform the following procedure:

1. Confirm that the certificate is present in the /nsconfig/ssl directory on your Citrix Netscaler VPX.

   root@IBMADC690867-s6dr# cd /nsconfig/ssl
   root@IBMADC690867-s6dr# ls
   certbundle              ns-root.srl             ns-	sftrust-root.key     ns-sftrust.key
   hsmclient7.cer          ns-server.cert          ns-	sftrust-root.req     ns-sftrust.req
   ns-root.cert            ns-server.key           ns-	sftrust-root.srl     ns-sftrust.sig
   ns-root.key             ns-server.req           ns-	sftrust.cert
   ns-root.req             ns-sftrust-root.cert    ns-	sftrust.der
   

2. Even though the certificate key is located in the proper directory, it must be recognized as a valid Citrix Netscaler VPX object for it to connect and interact with other VPX components. To do so:

   > add ssl hsmKey NSkey_s6dr -hsmType SAFENET -	SerialNum 534071053 -password P@rtition6
   ERROR:  Internal error while adding HSM key.
   

   The previous command uses the following syntax:

   add ssl hsmkey <KeyName> -hsmType SAFENET -serialNum 	<serial #> -password <password>
   

   Where keyName is the name of the key that is created on the IBM© Hardware Security Module (HSM) with the CMU utility. The serialNum parameter is the serial number of the partition in question. The password parameter, as before, is the password of the partition on which the keys are present.

   The Internal error message is expected due to the increased time that it takes to complete this step. The key should be properly added. However, any other error messages you receive should be addressed.

3. Confirm that the key was added:

   > show ssl hsmkey
   1) HSM Key Name: NSkey_s6dr
   Done
   

4. As with the HSM key, the SSL certificate must be added by using the appropriate Citrix VPX command for it to be recognized:

   > add ssl certkey hsmclient7ns -cert /nsconfig/ssl/	hsmclient7.cer -hsmkey NSkey_s6dr
   Done
   

   For the previous command the following syntax is used:

   add ssl certkey <CertkeyName> -cert <cert path/name>
   -hsmkey <KeyName>
   

   Where certkey is the name of the certificate object to be added in the VPX device. The cert parameter contains the name and path to the file, if it is located in a directory other than the current one. Lastly, hsmkey contains the name of the key added in the previous step.

5. Confirm that the certificate was installed:

   > show ssl certKey
   [OUTPUT OMITTED]
   	2) Name: hsmclient7ns
   	Cert Path: /nsconfig/ssl/hsmclient7.cer
   	HSM Key ID: NSkey_s6dr
   	Format: PEM
   	Status: Valid,   Days to expiration:350
   	Certificate Expiry Monitor: ENABLED
   	Expiry Notification period: 30 days
   	Certificate Type: "Client Certificate" "Server Certificate"
   	Version: 3
   	Serial Number: 01785B2B61C8D7F1C06AC7CA8EDD573D
   	Signature Algorithm: sha256WithRSAEncryption
   	Issuer:  C=US,O=DigiCert
   Inc,OU=www.digicert.com,CN=RapidSSL RSA CA 2018
   	Validity
   		Not Before: Jul 26 00:00:00 2018 GMT
   		Not After : Jul 26 12:00:00 2019 GMT
   	Subject:  CN=hsmclient7.projectgoldfinch.net
   	Public Key Algorithm: rsaEncryption
   	Public Key size: 2048
   	Ocsp Response Status: NONE
   [OUTPUT OMITTED]
   Done
   >