asked on

Netscaler - multiple elliptic curve lines of config for each SSL VIP - why?

When I look at the elliptic curve information for some VIPs in my Netscaler Load Balancer - I see
that there might be four or five lines dedidicated to elliptic curves. I forget the numbers
but one might be 128, 164, then 256, then 324 - let's say. Now I understand the larger the
number the higher the encryption level. But why would a vip have several elliptic curves
associated with it instead of just one?

Awais Ali

HTTPS access to the NetScaler configuration utility fails on a VPX instance. How do I gain access?
A certificate-key pair is required for HTTPS access to the NetScaler configuration utility. On a NetScaler ADC, a certificate-key pair is automatically bound to the internal services. On an MPX or SDX appliance, the default key size is 1024 bytes, and on a VPX instance, the default key size is 512 bytes. However, most browsers today do not accept a key that is less than 1024 bytes. As a result, HTTPS access to the VPX configuration utility is blocked.

Citrix recommends that you install a certificate-key pair of at least 1024 bytes and bind it to the internal service for HTTPS access to the configuration utility or update the ns-server-certificate to 1024 bytes. You can use HTTP access to the configuration utility or the NetScaler command line to install the certificate.

amigan_99

ASKER

I think you must be referring to RSA keying. The elliptic curve figures on the Netscaler appliance are much smaller. An example is below.

bind ssl vserver mobygrape -eccCurveName P_256
bind ssl vserver mobygrape -eccCurveName P_384
bind ssl vserver mobygrape -eccCurveName P_224
bind ssl vserver mobygrape -eccCurveName P_521

So the question is - why would I need to bind mobygrape to four different eccCurveNames?

ASKER CERTIFIED SOLUTION