Considerations for Upgrading from 12.0 to 12.1

1) Removal of Weak Ciphers from DEFAULT_BACKEND cipher Group

This should not cause any issues for customers with backend applications that use modern Ciphers and TLS.

However legacy applications may face connectivity issues if specific Cipher Groups, with these older Ciphers enabled, are not configured.

Make sure to check if any backend Web Server/Resource/Application requires the above Ciphers before upgrade.

If they do, configure a Cipher Group with the required Ciphers and bind this to the Service or Service Group and unbind the DEFAULT_BACKEND Cipher Group.

2) Change in Password Encryption for Private Keys/Certificate-Key Pairs

Support for KEK encryption in private key

The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

For more information, see

Important: Certificate keys are lost if you downgrade to a build earlier than release 12.1 build 50.x.

[From Build 50.31]

[# NSHELP-14911]

Customers should not see any issues with this change during the upgrade.

However if they do need to downgrade back for any reason, all their encrypted Private keys will not be added during the downgrade.

To get around this, you can either do 1 of 2 things:

1: (Recommended) Take a backup of the configuration while on 12.0, so if a downgrade is needed, a restore can be performed after the downgrade


2: Do not save the configuration after the upgrade to 12.1 until it has been confirmed that everything is working and there is no need to downgrade.


  • No Related Posts

Leave a Reply