Caution When Upgrading your SSL Certificate(s)
Post by Sam Jacobs:
I received a call from a client recently. They renewed the SSL certificate on their NetScaler, and while their iOS Receiver users could still authenticate and enumerate applications, they could no longer launch applications and desktops. All intermediate certificates were properly installed and linked. The issue turned out to be the encryption method – SHA2 – used to hash the digital signature.
While SHA2 certificates have been around for a while, SHA1 certs had been the standard – until now. Microsoft has announced a new policy for CAs (Certification Authorities) who are members of the Windows Root Certificate Program (who issue publicly trusted certificates). The policy dictates that SHA1 certificates will be deprecated on January 1, 2016. After that date, only SHA2 certificates will be allowed to be issued. Unfortunately, the latest iOS (5.8) and Android (3.4) Citrix Receivers (among others) do not support SHA2 certificates when proxied through the NetScaler. See the full Receiver product matrix. While Citrix has promised a NetScaler upgrade in 2004 Q2 to remedy the issue, if you are supporting remote iOS or Android users through NetScaler and you need to upgrade your SSL certificate, make sure that you purchase a SHA1 cert and not a SHA2 cert.
Note: I do find it curious, however, that Microsoft is still using a SHA1 certificate on their site. 😉