Import IIS SSL Certificate to Citrix NetScaler

5-18-2013 10-03-29 PM For a recent project I’ve been configuring a Citrix NetScaler (which are wickedly cool) for load balancing of a web service over SSL. The web service is hosted on a Windows server using IIS, so I wanted to re-use the SSL certificate on the NetScaler. The steps to import IIS SSL certificate to NetScaler are actually fairly easy. I found various blog articles and Citrix KB articles on the process, but they were a bit convoluted and I thought there had to an easier process than using OpenSSL and WinSCP/NotePad to manipulate the certificate files.

The first thing you need to do is look in the server’s computer certificate personal store for your IIS certificate. In my case I’m looking for the StoreFront.contoso.net certificate. Since I knew I’d be exporting the whole certificate (including the private key), I made sure when I was requesting the certificate to allow the private key to be exported. You can request certificates from your MS CA a variety of ways, so I’ll assume you can find the option to allow private key export.

5-18-2013 8-52-39 PM

Exporting the Certificate

1. Right click on the certificate select All Tasks then select Export. You should be presented with the option to export the private key. If not, then your certificate’s private key is “stuck” in the computer’s store and you can’t get it out. Issue a new certificate with the private key export option.

5-18-2013 8-58-01 PM

2. Assuming you can export the private key you are now given some options for the PKCS#12 certificate file. You shouldn’t need to select any of the options.

5-18-2013 8-59-29 PM

3. Select a strong password to protect the file with. Remember it.

4. Chose an appropriate filename for the certificate. I strongly suggest using the FQDN of the certificate, because the NetScaler will store the files with the name you choose. So don’t do something like “cert.pfx” since you will have no clue what site it is for. In my case I chose StoreFront.contoso.net.pfx.

5. Run through the same export wizard again, but this time select No, do not export the private key.

5-18-2013 9-04-19 PM

6. Select Base-64 encoding for your certificate.

5-18-2013 9-05-03 PM

7. Again, I suggest using the FQDN of the certificate for the filename (e.g. StoreFront.contoso.net.cer). Make sure the file ends in “.cer”.

8. At this point you should have two certificate files, both with the FQDN, and one ending in .PFX and the other in .cer.

5-18-2013 9-06-50 PM

Importing Certificates into NetScaler

1. Logon to your Citrix NetScaler and open the root SSL page. Under Tools click Import PKCS#12.

import iis ssl netscaler

2. In the import window click on Browse next to the PKCS12 filename (NOT the output file name). Browse to your pfx file. Type in the password you entered during the certificate export process. Enter a new password to protect the private key on the Netscaler (PEM passphrase). In the Output File Name use the FQDN of the certificate and add a .key suffix. Change the encoding format to DES3. The NetScaler will automatically extract the private key from the PFX file and put it into the .key file.

5-18-2013 9-12-17 PM

3. Click on Manage Certificates / Keys / CSRs. Upload your .cer file. You should now see three certificate files with your certificate’s FQDN.

5-18-2013 9-17-12 PM

4. At this point you can delete the .pfx file if you wish, since we no longer need it. I suggest you do remove it, to reduce clutter on your NetScaler.

5. In the left pane under SSL click on Certificates then in the middle pane click on Install.

5-18-2013 9-18-41 PM

6. Enter the FQDN of your certificate in the Certificate-Key Pair Name. For the Certificate FIle Name select the .cer file you uploaded. For the Private Key File Name select your .key file. Enter the password you entered back in step 2.

5-18-2013 9-20-59 PM

7. If all goes well you will now have a new certificate from IIS installed on your NetScaler with no command line effort or manual modification of certificate files.

import iis ssl to netscaler

Print Friendly, PDF & Email

Related Posts

Subscribe
Notify of
15 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
maufderheiden
May 20, 2013 12:42 pm

very nice, ever asked myself how to import pfx without converting using xca.

July 19, 2013 9:46 pm

Thanks for writing this up! It was exactly the piece of information I needed to help get my old Secure Gateway server replaced with a new NetScaler. I referenced your post in my instructions here: http://benjamin.eavey.com/2013/07/netscaler-vpx-a

August 15, 2013 10:48 am

Great post! Now can get moving on migrating from SG/WI!

Michael
January 9, 2014 11:28 am

Genius! Thanks a lot for this! I was looking for a way to not use OpenSSL either, especially since the "add ssl" command from VPX 9 no longer works with VPX 10

Mario
January 28, 2014 10:46 am

Genius! Thanks a lot for this!

Rich
February 27, 2014 2:23 pm

THANKYOU!!! fixed my binding issue for self signed cert, much easier way and less complicated! 🙂

Junaid YAseen
June 11, 2014 8:42 am

THANKSSSSSSSSSS

Mike
June 13, 2014 8:25 am

Great Article Derek, just what I was looking for!

Justus
September 18, 2014 8:21 am

This is a fantastic walkthrough, and just saved us from a nightmare. Thank you!!

trog
October 16, 2014 2:06 pm

I've followed these guidelines and I'm getting an error. It shows "untrusted certificate warning" in the certification path. Can you tell me what I've done wrong?

ErikK
October 23, 2014 1:00 am

It helped me a lot no problem at all. Thank you for this post!

Hankster
March 5, 2015 2:03 pm

Derek, exactly the documentation I needed, 100%. If you follow these instructions to the letter, you CANNOT go wrong. Thumbs up!!!!!

I'll be taking some NetScaler training. Your documentation really removed a lot of the mystery from the certificates piece of the NetScaler. Awesome!

Girdhar
March 12, 2015 9:31 pm

This is one of the best citrix article i came across.

Osman
July 11, 2017 1:16 am

Does the same apply for Wildcard certificate?

Hank Foss
January 20, 2022 10:22 am

Incredible article. I use this every time I create a NetScaler cert, to the point where I have it memorized. Derek is a complete God-send.