Knowledge Base

Support Policies

Citrix Netscaler Issue with SHA2-384 Certificates

SecureAuth version(s) affected: ALL


Description: On certain versions of Citrix Netscaler, there is an issue where SecureAuth certificates cannot validate against Netscaler with IE11 and TLS 1.2 enabled.  This is only an issue in conjunction with the Citrix Netscaler implementation of TLS v1.2 and/or x509 with SHA2 certificates.  

Cause: Citrix Netscaler has a issue with validating this type of certificate with IE11 and TLS 1.2 enabled.  If tested on non-Citrix devices, such as Cisco ASA SSL VPN the certificates work fine.  Non-Microsoft browsers connect to the Netscaler fine using TLS 1.2.

Resolution: If you absolutely need to use IE11, then disable TLS 1.2 and enable TLS 1.0 on IE11.  This should now allow you to connect through the Citrix Netscaler.  If you do not want to disable TLS 1.2, then another option would be to use a non Microsoft browser such as Firefox and Chrome.  Unfortunately trying to use IE11 with TLS1.2 enabled will not work.  

Have more questions? Submit a request


Please sign in to leave a comment.