in NetScaler

Scoring 100/100 in ADM (removing the default certificate)

ADM has something called Infrastructure Analytics, which is a great addition to the product. It gives you a swift overview over your fleet of ADC’s no matter which type (SDX, MPX, VPX, BLX, CPX). There is a score that goes to 100 if everything is running accordingly.

It checks if any certificates is soon to expire, if there are critical events in the log (eg. bad HA state) – overall, easy house keeping.

It does also check the issuer of the certificates, so it will report problems if someone adds something you don’t want running on your ADC’s. And thats leave us with a problem with the ns-server-certificate, since its a self signed certificate. and it does not scale very well to add every certificate to ADM. and ADM does not support regex in the trusted issuers sections. so the real solution is of course to remove this ns-server-certificate.

rm ssl certKey ns-server-certificate
ERROR: Cannot delete internal default certificate.

Thank you Citrix! i’ve removed all bindings to the certificate, and still i get the above message.

To overcome this error, do the following:

disable the HA, also sync and command propagation
on the secondary
remove the following line from ns.conf:
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key

Reboot the secondary, repeat on the primary.

Hopefully you’ll end up with this:

Happy monitoring! (it’s important! and every admin should dedicate 30 min’s a day to make it better, ADM is an easy way to success for ADC)

What do you think?