Error: “No Such FIPS Key” when Trying to Install Certificate and FIPS Key on ADC FIPS Appliance

This issue is most commonly seen when the FIPS Key originated from another device’s private key that was subsequently imported into the FIPS ADC appliance. Commonly, private keys from other devices are imported as password protected PFX files. PFX files are converted on the FIPS ADC into PEM files that contains both the certificate and the private key.

After the PEM file is imported as an FIPS Key, the administrator will attempt to install new certificate definition using the existing PEM file and the new FIPS Key imported from the PEM file. The administrator provides the PFX file password when attempting to install the certificate definition using either of the following:

  • NetScaler administration utility (GUI): Traffic Management > SSL > Certificates > Install

  • Terminal session (CLI): add ssl certkey

The administrator might incorrectly include the PFX file password when installing the new certificate definition. However the password is not required for an FIPS Key imported as the private key exported from the PFX file to the PEM file will not be encrypted.

Related:

  • No Related Posts

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021

On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities.

Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd

Security Impact Rating: High

CVE: CVE-2021-3449,CVE-2021-3450

Related:

  • No Related Posts

How to Convert a PKCS #7 Certificate to PEM Format for Use with NetScaler

This article describes how to convert a certificate that is received from the Certificate Authority (CA) in PKCS #7 format to PEM format.

Background

This is an alternative method of converting a PKCS #7 Certificates to PEM format, rather than using Open SSL, which sometimes might not work correctly. You receive a certificate from the CA in PKCS #7 [Crypto Graphic message syntax standard] format. The file extension for the certificate is .p7b.

Related:

  • No Related Posts

FAQ: How do I Block Heartbleed on NetScaler?

Q: Is NetScaler affected by Heartbleed vulnerability?

A: Heartbleed is one of the most impactful vulnerability identified in the recent history of SSL protocol. Heartbleed is a bug identified in OpenSSL’s implementation of TLS heartbeat extension which allows intruders to get information from the server’s memory thereby revealing potential user data which was assumed to be safe using TLS. OpenSSL runs in majority of sites hosted in the internet which makes this a widely impacted one. The secure information that is shared with the server is now accessible by the attacker and this action is completely undetectable.

Use cases

  • Andy wishes to interact in a secure fashion (some arbitrary, some known) free from Heartbleed attacks through a web browser.
  • Banking.com wishes to host web servers to be used by people like Andy in a secure fashion free from Heartbleed attack.

Q: How does Heartbleed work?

A: In order to understand Heartbleed, it is required to understand how heartbeat extensions work. There is a heartbeat request-response exchange done between sender and receiver that allows the usage of “keep-alive” without performing a renegotiation. The message format contains Heartbeat message type, Payload, Payload length and Padding. Payload can be any value which needs to be shared with the other participant (say a server). The server copies the payload , creates a response message around it and replies back to the sender. Payload length field is 2 byte long and decides the length of the payload. This implies payload can be anything up to 65536 bytes. As per RFC 6520, if the payload length is bigger than the supported value, then the message should be discarded silently. In this scenario, server should not process the message and send a response. This is not the case with OpenSSL’s implementation which lead to the Heartbleed vulnerability. As a result server sends extra bytes of information which was requested by the attacker. This is the data present in the server’s memory which can be sensitive information.

Q: How does NetScaler help?

A: NetScaler comes to the rescue! NetScaler was never affected by the issue found in OpenSSL implementation. NetScaler can block Heartbleed attacks as the affected versions of OpenSSL (1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) are not used by NetScaler. NetScaler operating system uses modified SSL stack which is fine tuned for security, performance and other use cases and is not impacted by this vulnerability. On management pane, OpenSSL is used, however the affected versions are not used and thus not affected by Heartbleed vulnerability.

To know more information on the list of Citrix products that requires updates to evade Heartbleed vulnerability please read the support article : http://support.citrix.com/article/CTX140605.

Related:

When using Fast Smartcard and attempting to decrypt an e-mail encrypted using AES256 encryption in Outlook you are presented with the following error: “Sorry were having trouble opening this item…”

The only workaround available currently is to either not use Fastsmartcard:

by not adding the param to the default.ica to enable this feature) – this will introduce a delay when decrypting messages

or

Use the following workaround to force the sender to encrypt Mail using 3DES.

https://support.microsoft.com/en-ca/help/4459215/error-when-you-try-to-decrypt-a-message-by-using-a-3des-certificate-in

HKEY_CURRENT_USERSOFTWAREMicrosoftOffice16.0OutlookSecurity

DWORD = UseAlternateDefaultEncryptionAlg

Value=1

String = DefaultEncryptionAlgOID

Value = 1.2.840.113549.3.7

Related:

  • No Related Posts

ShareFile : Application Specific password

You can access creation of application passwords underPersonal Settings > Personal Security > Two-Step Verification > Application Specific Passwords, using theCreate a Passwordbutton. On the new screen, you will be prompted to enter a label. This label will help you identify the app if you ever desire to revoke access to it. After clickingGenerate, click theCopybutton to copy the app-specific password to your clipboard. Next, Paste the new password into the password field of your app.

User-added image

Related:

  • No Related Posts

Error:”An SSL connection to the server couldn't be established” while trying to authenticate to StoreFront using Linux Receiver

1. Obtain the root certificate in PEM format.

Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.

2. As the user who installed the package (usually root):

  • Copy the file to $ICAROOT/keystore/cacerts.
  • Run the following command: $ICAROOT/util/ctx_rehash

Related:

  • No Related Posts

Error: “Invalid Certificate” When Installing SSL Certificate on ADC Appliance

Hidden Control Characters in CertificateKey File

You can use OpenSSL implementation of BSD Unix distribution on ADC to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the/nsconfig/ssl directory of the ADC appliance.

    The Certificate and Key files can also be uploaded to the ADC using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:

    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the ADC appliance by using the new exported version of the files.

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 – How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Related:

  • No Related Posts