Import IIS SSL Certificate to Citrix NetScaler

5-18-2013 10-03-29 PMFor a recent project I’ve been configuring a Citrix NetScaler (which are wickedly cool) for load balancing of a web service over SSL. The web service is hosted on a Windows server using IIS, so I wanted to re-use the SSL certificate on the NetScaler. The steps to import IIS SSL certificate to NetScaler are actually fairly easy. I found various blog articles and Citrix KB articles on the process, but they were a bit convoluted and I thought there had to an easier process than using OpenSSL and WinSCP/NotePad to manipulate the certificate files.

The first thing you need to do is look in the server’s computer certificate personal store for your IIS certificate. In my case I’m looking for the StoreFront.contoso.net certificate. Since I knew I’d be exporting the whole certificate (including the private key), I made sure when I was requesting the certificate to allow the private key to be exported. You can request certificates from your MS CA a variety of ways, so I’ll assume you can find the option to allow private key export.

5-18-2013 8-52-39 PM

Exporting the Certificate

1. Right click on the certificate select All Tasks then select Export. You should be presented with the option to export the private key. If not, then your certificate’s private key is “stuck” in the computer’s store and you can’t get it out. Issue a new certificate with the private key export option.

5-18-2013 8-58-01 PM

2. Assuming you can export the private key you are now given some options for the PKCS#12 certificate file. You shouldn’t need to select any of the options.

5-18-2013 8-59-29 PM

3. Select a strong password to protect the file with. Remember it.

4. Chose an appropriate filename for the certificate. I strongly suggest using the FQDN of the certificate, because the NetScaler will store the files with the name you choose. So don’t do something like “cert.pfx” since you will have no clue what site it is for. In my case I chose StoreFront.contoso.net.pfx.

5. Run through the same export wizard again, but this time select No, do not export the private key.

5-18-2013 9-04-19 PM

6. Select Base-64 encoding for your certificate.

5-18-2013 9-05-03 PM

7. Again, I suggest using the FQDN of the certificate for the filename (e.g. StoreFront.contoso.net.cer). Make sure the file ends in “.cer”.

8. At this point you should have two certificate files, both with the FQDN, and one ending in .PFX and the other in .cer.

5-18-2013 9-06-50 PM

Importing Certificates into NetScaler

1. Logon to your Citrix NetScaler and open the root SSL page. Under Tools click Import PKCS#12.

import iis ssl netscaler

2. In the import window click on Browse next to the PKCS12 filename (NOT the output file name). Browse to your pfx file. Type in the password you entered during the certificate export process. Enter a new password to protect the private key on the Netscaler (PEM passphrase). In the Output File Name use the FQDN of the certificate and add a .key suffix. Change the encoding format to DES3. The NetScaler will automatically extract the private key from the PFX file and put it into the .key file.

5-18-2013 9-12-17 PM

3. Click on Manage Certificates / Keys / CSRs. Upload your .cer file. You should now see three certificate files with your certificate’s FQDN.

5-18-2013 9-17-12 PM

4. At this point you can delete the .pfx file if you wish, since we no longer need it. I suggest you do remove it, to reduce clutter on your NetScaler.

5. In the left pane under SSL click on Certificates then in the middle pane click on Install.

5-18-2013 9-18-41 PM

6. Enter the FQDN of your certificate in the Certificate-Key Pair Name. For the Certificate FIle Name select the .cer file you uploaded. For the Private Key File Name select your .key file. Enter the password you entered back in step 2.

5-18-2013 9-20-59 PM

7. If all goes well you will now have a new certificate from IIS installed on your NetScaler with no command line effort or manual modification of certificate files.

import iis ssl to netscaler

Print Friendly, PDF & Email
(Visited 245 times, 1 visits today)

14
Leave a Reply

avatar
14 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
13 Comment authors
OsmanGirdharHanksterErikKtrog Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
maufderheiden
Guest
maufderheiden

very nice, ever asked myself how to import pfx without converting using xca.

beaveyOne
Guest

Thanks for writing this up! It was exactly the piece of information I needed to help get my old Secure Gateway server replaced with a new NetScaler. I referenced your post in my instructions here: http://benjamin.eavey.com/2013/07/netscaler-vpx-a

@ChrisCalaf
Guest

Great post! Now can get moving on migrating from SG/WI!

Michael
Guest
Michael

Genius! Thanks a lot for this! I was looking for a way to not use OpenSSL either, especially since the "add ssl" command from VPX 9 no longer works with VPX 10

Mario
Guest
Mario

Genius! Thanks a lot for this!

Rich
Guest
Rich

THANKYOU!!! fixed my binding issue for self signed cert, much easier way and less complicated! 🙂

Junaid YAseen
Guest
Junaid YAseen

THANKSSSSSSSSSS

Mike
Guest
Mike

Great Article Derek, just what I was looking for!

Justus
Guest
Justus

This is a fantastic walkthrough, and just saved us from a nightmare. Thank you!!

trog
Guest
trog

I've followed these guidelines and I'm getting an error. It shows "untrusted certificate warning" in the certification path. Can you tell me what I've done wrong?

ErikK
Guest
ErikK

It helped me a lot no problem at all. Thank you for this post!

Hankster
Guest
Hankster

Derek, exactly the documentation I needed, 100%. If you follow these instructions to the letter, you CANNOT go wrong. Thumbs up!!!!!

I'll be taking some NetScaler training. Your documentation really removed a lot of the mystery from the certificates piece of the NetScaler. Awesome!

Girdhar
Guest
Girdhar

This is one of the best citrix article i came across.

Osman
Guest
Osman

Does the same apply for Wildcard certificate?