NetScaler 12 Certificates

Last Modified: Aug 22, 2017 @ 5:48 pm

Navigation

ūüí° = Recently Updated

Convert .PFX Certificate to PEM Format

You can export a certificate (with private key) from Windows, and import it to NetScaler.

To export a Windows certificate in .pfx format

  1. If Windows 2012 or newer, on the Windows server that has the certificate, you can run certlm.msc to open the Certificates console pointing at Local Computer.
    1. Or, run mmc.exe, manually add the Certificates snap-in, and point it to Local Computer.
  2. Go to Personal > Certificates.
  3. Right-click the certificate, expand All Tasks, and click Export.
  4. On the Welcome to the Certificate Export Wizard page, click Next.
  5. On the Export Private Key page, select Yes, export the private key, and click Next.
  6. On the Export File Format page, click Next.
  7. On the Security page, check the box next to Password, and enter a new temporary password. Click Next.
  8. On the File to Export page, specify a save location and name the .pfx file. Don’t put any spaces in the filename. Click¬†Next.
  9. In the Completing the Certificate Export Wizard page, click Finish.
  10. Click OK when prompted that the export was successful.

To auto-convert a .pfx file (without private key encryption)

NetScaler can auto-convert a .pfx file to PEM format. However, the converted file it creates is not encrypted.

To import the .pfx file:

  1. On the NetScaler, expand Traffic Management, and click SSL.
  2. If the SSL feature is disabled, right-click the SSL node, and click Enable Feature.
  3. Go to Traffic Management > SSL > Certificates > Server Certificates.
  4. There are three different certificate nodes:
    1. Server Certificates have private keys. These certificates are intended to be bound to SSL vServers.
    2. Client Certificates also have private keys, but they are intended to be bound to Services so NetScaler can perform client-certificate authentication against back-end web servers.
    3. CA Certificates don’t have private keys. The CA certificates node contains intermediate certificates that are linked to Server Certificates. CA certificates can also be used for SAML authentication, and to verify client certificates.
  5. On the left, click the Server Certificates node.
  6. On the right, click Install.
  7. Give the certificate a name.
  8. Click the drop-down next to Choose File, select Local, and browse to the .pfx file that you exported earlier.
  9. After browsing to the .pfx file, NetScaler will prompt you to enter the password for the .pfx file.
  10. Then click Install.
  11. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
  12. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  13. You can also export the certificate files and use them on a different NetScaler.
  14. If you click the information icon¬†next to the new certificate…
  15. You’ll see that NetScaler created a new file with a .ns extension.
  16. You can look inside this file by going to Traffic Management > SSL > Manage Certificates / Keys / CSRs.
  17. Right-click the new file, and click View.
  18. Notice that the RSA Private Key is not encrypted, encoded, or password protected.

To convert PFX to PEM (with Private Key encryption)

If you want to encrypt your key file (recommended), use the older method of converting from PFX to PEM.

  1. In the NetScaler Configuration GUI, on the left, expand Traffic Management, and click SSL.
  2. In the right column of the right pane, in the Tools section, click Import PKCS#12.
  3. In the Import PKCS12 File dialog box:
    1. In the Output File Name field, enter a name (e.g. Wildcard.cer) for a new file where the converted PEM certificate and private key will be placed. This new file is created under /nsconfig/ssl on the NetScaler appliance.
    2. In the PKCS12 File field, click Choose File, and select the previously exported .pfx file.
    3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    4. Change the Encoding Format selection to DES3. This causes the new PEM file to be password protected, and encrypted.
    5. Enter a permanent password for the new PEM file, and click OK.
  4. You can use the Manage Certificates / Keys / CSRs link to view the new PEM file.

    1. Right-click the new file, and click View.
    2. Notice that the Private Key is encrypted.
    3. If you scroll down, notice that the file contains both the certificate, and the RSA Private key.
  5. Now that the PFX file has been converted to a PEM file, the PEM certificate file must be installed before it can be used.
    1. On the left side of the NetScaler Configuration GUI, go to Traffic Management > SSL > Certificates > Server Certificates.
    2. On the right, click Install.
    3. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
    4. In the Certificate File Name field, click the drop-down next to Choose File, and select Appliance.
    5. Click the radio button next to the .cer file you just created, and click Open. The new file is probably at the bottom of the list.
    6. NetScaler will ask you to enter the password for the encrypted private key.
    7. Click Install.
  6. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
  7. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy NetScaler Management and Analytics System. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  8. You can also export the certificate files and use them on a different NetScaler.

Create Key and Certificate Request

If you want to create free Let’s Encrypt certificates, see¬†John Billekens’ PowerShell script detailed at Let‚Äôs Encrypt Certificates on a NetScaler.

You can create a key pair and Certificate Signing Request (CSR) directly on the NetScaler appliance. The CSR can then be signed by an internal, or public, Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when creating (or purchasing) a signed certificate, and thus there’s no reason to include Subject Alternative Names in the CSR created on NetScaler. You typically create a CSR with a single DNS name. Then when submitting the CSR to the Certificate Authority, you type in additional DNS names.

  • For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard.
  • For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option, that lets you type in additional names.

To create a key pair on NetScaler

  1. On the left, expand Traffic Management, expand SSL, and click SSL Files.
  2. On the right, switch to the Keys tab.
  3. Click Create RSA Key.
  4. In the Key Filename box, enter a new filename (e.g. wildcard.key). Key pair files typically have a .key extension.
  5. In the Key Size field, enter 2048 bits.
  6. Set the PEM Encoding Algorithm drop-down to DES3
  7. Enter a password to encrypt the private key.
  8. Click Create.

To create CSR file

  1. On the right, switch to the CSRs tab.
  2. Click Create Certificate Signing Request (CSR).
  3. In the Request File Name field, enter the name of a new file. CSR files typically have .csr or .txt extension.
  4. In the Key Filename field, click Choose File and select¬†the previously created .key file. It’s probably at the bottom of the list.

  5. If the key file is encrypted, enter the password.
  6. You can optionally change the Digest Method to SHA256.
  7. In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN. This is the field that normally must match what users enter into their browser address bars.
  8. In the Organization Name field, enter your official Organization Name.
  9. Enter IT, or similar, as the Organization Unit.
  10. Enter the City name.
  11. In the State field, enter your state name without abbreviating.
  12. Scroll down and click Create.
  13. Right-click the new .csr file, and click Download.

Get CSR signed by CA, and install certificate on NetScaler

  1. Open the downloaded .csr file with Notepad, and send the contents to your Certificate Authority.

    1. Chrome requires every certificate to have at least one Subject Alternative Name that matches the FQDN entered in Chrome’s address bar. Public CAs will handle this automatically. But for Internal CAs, you typically must specify the Subject Alternative Names manually when signing the certificate.

    2. If the CA asks you for the type of web server, select Apache, or save the CA response as a Base 64 file.
  2. After you get the signed certificate, on the left side of the NetScaler Configuration GUI, expand Traffic Management > SSL > Certificates, and click Server Certificates.
  3. On the right, click Install.
  4. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
  5. In the Certificate File Name field, click the drop-down next to Choose File, and select Local.
  6. Browse to the Base64 (Apache) .cer file you received from the Certificate Authority.
  7. In the Key File Name field, click the drop-down next to Choose File, and select Appliance.
  8. Select the key file you created earlier, and click Open. It’s probably at the bottom of the list.
  9. If the key file is encrypted, enter the password.
  10. Click Install.
  11. The certificate is now added to the list.
  12. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or NetScaler Gateway Virtual Servers.
  13. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix NetScaler Management and Analytics. Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  14. You can also export the certificate files and use them on a different NetScaler.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the NetScaler. This Intermediate Certificate then must be linked to the Server Certificate.

To get the correct intermediate certificate

  1. Log into Windows, and double-click the signed certificate file.
  2. On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
  3. On the Details tab, click Copy to File.
  4. In the Welcome to the Certificate Export Wizard page, click Next.
  5. In the Export File Format page, select Base-64 encoded, and click Next.
  6. Give it a file name, and click Next.
  7. In the Completing the Certificate Export Wizard page, click Finish.

To import the intermediate certificate

  1. In the NetScaler configuration GUI, expand Traffic Management, expand SSL, expand Certificates, and click CA Certificates.
  2. On the right, click Install.
  3. Name it Intermediate or similar.
  4. Click the arrow next to Choose File, select Local, and browse the Intermediate certificate file.
  5. Click Install.

Link Intermediate Certificate to Server Certificate

  1. Go back to Traffic Management > SSL > Certificates >Server Certificates.
  2. Right-click the server certificate, and click Link.
  3. The previously imported Intermediate certificate should already be selected. Click OK.
  4. You might be tempted to link the Intermediate certificate to a Root certificate. Don’t do this. Root certificates are installed on client machines, not on NetScaler. NetScaler must never send the root certificate to the client device.

Export Certificate Files from NetScaler

You can easily export certificate files from the NetScaler, and import them to a different NetScaler.

  1. Go to Traffic Management > SSL > Certificates > Server Certificates.
  2. Move your mouse over the certificate you want to export, and then click the information icon on the far left.
  3. Note the file names. There could be one or two file names.
  4. On the left, go to Traffic Management > SSL.
  5. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  6. Find the file(s) in the list, right-click it, and click Download.
    1. While it seems like you can download multiple files, actually, it only downloads one at a time.
    2. You might have to increase the number of files shown per page, or go to a different page.
  7. Also download the files for any linked intermediate certificate.
  8. You can now use the downloaded files to install certificates on a different NetScaler.

Default Management Certificate Key Length

To see the key size for the management certificate, right-click the ns-server-certificate (Server Certificate), and then click Details.

If the management certificate key size is less than 2048 bits, simply delete the existing ns-server-certificate certificate files, and reboot. NetScaler will create a new management certificate with 2048-bit keys.

  1. Go to Traffic Management > SSL.
  2. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  3. Highlight any file named ns-* and delete them. This takes several seconds.
  4. Then go to the System node, and reboot.
  5. After a reboot, if you view the Details on the ns-server-certificate, it will be recreated as self-signed, with 2048-bit key size.

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

High Availability – When a management certificate is installed on one node of a High Availability pair, the certificate is synchronized to the other node, and used for the other node’s NSIP. So make sure the management certificate matches the DNS names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some names the management certificate should match (note: a wildcard certificate won‚Äôt match all of these names):

  • The FQDN for each node’s NSIP. Example: ns01.corp.local and ns02.corp.local
  • The shortnames (left label) for each node’s NSIP. Example: ns01 and ns02
  • The NSIP IP address of each node. Example: 192.168.123.14 and 192.168.123.29
  • If you enabled management access on your SNIPs, add names for the SNIPs:
    • FQDN for the SNIP. Example: ns.corp.local
    • Shortname for the SNIP. Example: ns
    • SNIP IP address. Example: 192.168.123.30

Request Management Certificate

If you are creating a Subject Alternative Name certificate, it’s probably easiest to request a SAN certificate from an internal CA using the MMC Certificates snap-in on a Windows box.:

  1. Open the MMC certificates snap-in by running certlm.msc on a Windows 2012 or newer machine.
  2. Go to Personal, right-click Certificate, expand All Tasks, and click Request New Certificate.
  3. A web server certificate template should let you specify subject information.
  4. In the top half, change the Subject name > Type drop-down to Common Name. Enter a DNS name, and click Add to move it to the right.
  5. In the bottom half, change the Alternative Name > Type drop-down to either DNS or IP address (v4). Type in different names or IPs as detailed earlier, and click Add to move them to the right.

  6. On the Private Key tab, expand Key Options, and make sure Mark private key as exportable is checked.
  7. Then finish Enrolling the certificate.
  8. Export the certificate and Private Key to a .pfx file.

  9. On the NetScaler, if you want to encrypt the private key, then use the Traffic Management > SSL > Import PKCS#12 tool to convert the .pfx to PEM format.

  10. Then follow one of the procedures below to replace the management certificate.

Methods of replacing the Management Certificate

There are two methods of replacing the management certificate:

  • In the NetScaler GUI, right-click¬†ns-server-certificate, and click¬†Update. This automatically updates all of the Internal Services bindings too. This method is intended for dedicated management certificates, not wildcard certificates. Notes:
    • You cannot rename the ns-server-certificate in the NetScaler GUI. It remains as ns-server-certificate.
    • ns-server-certificate¬†cannot be bound to Virtual Servers. So make sure you are replacing it with a dedicated management certificate.
  • Or manually Bind¬†a new management certificate to each of the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https, so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, expand Certificates, and click Server Certificates.
  3. On the right, right-click ns-server-certificate, and click Update.
  4. Check the box next to Click to update the certificate and key.
  5. Click Choose File, and browse to the new management certificate. It could be on the appliance, or it could be on your local machine.
  6. If the PEM private key is encrypted, enter the password.
  7. Check the box next to No Domain Check. Click OK.
  8. Click Yes to update the certificate.
  9. You can now connect to the NetScaler using https protocol. The certificate should be valid, and it should have a 2048 bit key.

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

  1. You can’t update the certificate while connected to the NetScaler using https, so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, expand Certificates, and click Server Certificates.
  3. On the right, use the Install button to install the new management certificate.

  4. Go to Traffic Management > Load Balancing > Services.
  5. On the right, switch to the Internal Services tab.
  6. Right-click one of the services, and click Edit.
  7. Scroll down, and click where it says 1 Server Certificate.
  8. Click Add Binding.
  9. Click where it says Click to select.
  10. Click the radio button next to the new management certificate, and click Select.
  11. Click Bind, and click Close.
  12. Click Close.
  13. If Default SSL Profile is not enabled, then you can modify the SSL Parameters and/or Ciphers on each of these Internal Services.
  14. Repeat for the rest of the internal services. There should be at least 6 services. Additional Internal Services are created for SNIPs with management access enabled, and High Availability.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP.

  1. Connect to the NSIP using https.
  2. On the left, expand System, expand Network, and click IPs.
  3. On the right, right-click your NetScaler IP, and click Edit.
  4. Near the bottom, check the box next to Secure access only, and then click OK.
  5. If you are connected using http, the page will reload using https.

    set ns ip 10.2.2.126 -gui SECUREONLY
  6. Repeat this procedure on the secondary appliance.
  7. Repeat for any SNIPs that have management access enabled.

Also see:

SSL Certificate ‚Äď Update

There are two options for updating a certificate:

  • Create or Import a new certificate to NetScaler > Traffic Management > SSL > Certificates > Server Certificates. Then find all of the places the original certificate is bound, and manually replace the original certificate binding with the new certificate. This method is obviously prone to errors.
  • On NetScaler, simply right-click the existing certificate, and click Update. This automatically updates all of the bindings. Much faster and easier.

To update a certificate using the Update method:

  1. Create an updated certificate, and export it as .pfx file (with private key). Don’t install the certificate onto NetScaler yet, but instead, simply have access to the .pfx file.
  2. In NetScaler, navigate to Traffic Management > SSL > Certificates > Server Certificates.
  3. On the right, right-click the certificate you intend to update, and click Update.
  4. Check the box next to Update the certificate and key.
  5. Click Choose File > Local, and browse to the updated .pfx file.
  6. NetScaler will prompt you to specify the .pfx file password.
  7. Click OK. This will automatically update every Virtual Server on which this certificate is bound.
  8. Intermediate certificate – After replacing the certificate, you might have to update the cert link to a new Intermediate certificate.
    1. Right-click the updated certificate, and click Cert Links, to see if it is currently linked to an intermediate certificate.
    2. If not, right-click the updated certificate, and click¬†Link, to link it to an intermediate certificate. If it doesn’t give you an option to link it to, then you’ll first have to install the new intermediate certificate on the NetScaler.

Certificates can also be updated in NetScaler Management and Analytics System.

Certificates can be updated from the CLI by running update ssl certKey MyCert. However, the certificate files must be stored somewhere on the appliance, and already be in PEM format.

3 thoughts on “NetScaler 12 Certificates”

  1. Hello Carl!
    Thank you for great articles!

    I have one question about SSL. One of imprted CA certificates shown in NS as expired. In details I can see as follow:
    Valid From
    Jan 14 08:41:47 2009 GMT
    Valid To
    Jan 14 08:42:2108 GMT

    There is no “sec” value. “year” value has been moved to “sec”. So strange issue. Windows console shows it as ‚Äé14 Jan ‚Äé2108 11:42:12 and valid. Could you give me some advice to solve it please?

    1. There have been several issues with how certificates are read in 11.1 and newer. You might have to open a support case so they can fix it.

Leave a Reply