Using OpenSSL to split .pfx files to .pem format (Citrix NetScaler)

Whilst on the field, integrating NetScalers – one of the most common tasks would be to install the relevant SSL certificates on the appliance. This would be either for SSL Offloading, Secure Management (HTTPS for GUI) or to deploy a wildcard for your NetScaler Gateway FQDN (aka Access Gateway).

Note: The Certificate Signing Request (CSR) can either be done on the NetScaler itself or any IIS or webservers.

Let’s assume this is an IIS server and the logical process flow will be –

  1. Task – Generate CSR with relevant FQDN (*
  2. Submit it to the Certificate Authority (for external – Go Daddy etc..)
  3. Import the SSL Cert file into IIS and bob’s your uncle.

Hang on, now how do I get this onto the NetScaler!? Just export it… but it’s got a private key and it’s in “.pfx” format!

OpenSSL to the rescue!

The Citrix NetScaler has got a built-in utility called OpenSSL. You’ll need to either use the NetScaler GUI or WinScP to copy the .pfx to the appliance. The default cert location on the NetScaler is /nsconfig/ssl

Screengrab -WinScp

Default directory of SSL Certs on a NetScaler

Once the .PFX file has been uploaded to the above directory. Follow these steps –

  • Drop into the NetScaler shell and change directory to /nsconfig/ssl

 > shell
root@VPX-SiteA# cd /nsconfig/ssl
root@VPX-SiteA# pwd

  • Extract the WildCard cert first

root@VPX-SiteA# openssl pkcs12 -in COMPANY-WILDCARD.pfx -clcerts -nokeys -out COMPANY-WILDCARD.pem

Enter Import Password:

MAC verified OK


  •  Next, extract the Private Key (if there is one!) and enter your private key password that was set originally.
root@VPX-SiteA#openssl pkcs12 -in COMPANY-WILDCARD.pfx -nocerts  -out COMPANY-Privkey.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
  • Now your ready to import these two files (.PEM and .KEY) into your NetScaler
Installing the WildCard Cert and its Private Key on the NetScaler

Installing the WildCard Cert and its Private Key on the NetScaler


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s