SSL A+ rating on the Citrix ADC / Update: 2019-12-09
In this article I explain how you can get an SSL A+ rating on the Citrix ADC from SSLLabs. Nowadays, it should be standard for websites or web services that they are only offered encrypted. On the other hand, however, only currently secure methods for encryption should be used here. I think SSL (Secure Sockets Layer) is very easy to use, but there are a few pitfalls to consider.
One of these pitfalls is that SSL settings have to be updated over and over again. Also with SSL the security standards change and these must be adapted again and again on the Citrix ADC.
Check how well your web services comply with the current standard
If you would like to check more closely how well your web services and websites comply with the current standard for SSL encryption, you can use the following services:
Qualys SSL Labs – https://www.ssllabs.com/ – I think this is the best known site for SSL checks, here you can also test different clients or attacks
DigiCert SSL Certificate Checker – https://www.digicert.com/help/ – Checks certificate chains for validity
The way to A+
The goal should always be to get an SSL A+ rating on the Citrix ADC. This will look like this:
Goal should be that you achieve an A+ rating when checking SSL at Qualys SSL Labs, so you can be sure that you meet the latest encryption standards.
A detailed guide to the ratings can be found below:
How do I get an SSL A+ rating on the Citrix ADC?
Next we want to make sure that we get an SSL A+ rating on the Citrix ADC and that our services are accordingly secure.
If you set up a service with the default settings, you will usually not get a very good rating.
In my first tests (the web service was published without any special encryption settings) I got a C rating. That’s pretty bad.
Here you can see the screenshot of the first test:
Create the DH Key
To get an SSL A+ rating on the Citrix ADC, we start to create a new “SSL Profile” on the Citrix ADC. In preparation we create a DH-Key (Diffie-Hellman (DH) key exchange) in advance. To do this, go to the menu item “SSL” on your Netscaler under “Configuration” > “Traffic Management”. Here you find the option “Create Diffie-Herman (DH) key”. There you can create a new DH key. Please note that it may take up to 30 minutes until the key is created, if you use 2048 bit.
The new SSL Profile
Now that we have created our DH Key, we create a new “SSL Profile”. This will make it a lot easier if you set the SSL settings on the Citrix ADC (formerly Citrix Netscaler ADC) on more than one virtual server. Now go to “Configuration” > “System” > “Profiles” on the tab “SSL Profiles”. There you can for example copy the profile “ns_default_ssl_profile_secure_frontend”. Then you don’t have to set all settings manually again. Alternatively you will find below the CLI commands with which you can create the SSL profile.
In the SSL profile you now use the following settings:
A new Chiper Group need to be created
Once you have created the SSL profile, you can immediately create a new Cipher Group. We also need this for our SSL settings.
Good to know: A cipher group contains several cipher suites. Cipher suites contain information (protocol, key exchange Kx algorithms, authentication algorithms (Au), encryption algorithms (Enc) and a message code algorithm).
We now create the Cipher Group via the CLI, as this is much faster. You can enter the following part directly on your Citrix ADC on the (Netscaler) CLI.
If we have created our SSL profile and our Cipher Group, we now switch to the contentswitch virtual server or the Citrix Gateway virtual server.
You will find the item “SSL Profile” on the right side under “Advanced Settings”. You choose this one. After the selection the point is visible in the configuration area. There you can select your SSL profile and confirm with “OK”.
We add our newly created Cipher Group and remove the “Default” Cipher Group from the virtual server. When you’re done, it should look like this:
Check whether the goal has been achieved!
Now that we have made all the settings on our virtual server, we want to check whether our settings were successful and we get an A+ rating on the Citrix ADC. Our SSL Rating can be checked on the link above via Qualys SSL Labs.
So your virtual server or the individual websites should be displayed, if you have carried out the settings successfully.
I hope as always that you liked the article and that it will help you. If you have any questions or suggestions, please write me a comment. Also read my other articles about Citrix ADC here.
Otherwise I am happy about a Like on Facebook, Xing or if you follow me on Twitter.The social media buttons are on top and on the bottom of my page. You can also share my article if you like.
Have a nice day