Citrix Netscaler Issue with SHA2-384 Certificates

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth version(s) affected: ALL


    Description: On certain versions of Citrix Netscaler, there is an issue where SecureAuth certificates cannot validate against Netscaler with IE11 and TLS 1.2 enabled.  This is only an issue in conjunction with the Citrix Netscaler implementation of TLS v1.2 and/or x509 with SHA2 certificates.  

    Cause: Citrix Netscaler has a issue with validating this type of certificate with IE11 and TLS 1.2 enabled.  If tested on non-Citrix devices, such as Cisco ASA SSL VPN the certificates work fine.  Non-Microsoft browsers connect to the Netscaler fine using TLS 1.2.

    Resolution: If you absolutely need to use IE11, then disable TLS 1.2 and enable TLS 1.0 on IE11.  This should now allow you to connect through the Citrix Netscaler.  If you do not want to disable TLS 1.2, then another option would be to use a non Microsoft browser such as Firefox and Chrome.  Unfortunately trying to use IE11 with TLS1.2 enabled will not work.  


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.


    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.