Whilst on the field, integrating NetScalers – one of the most common tasks would be to install the relevant SSL certificates on the appliance. This would be either for SSL Offloading, Secure Management (HTTPS for GUI) or to deploy a wildcard for your NetScaler Gateway FQDN (aka Access Gateway).
Note: The Certificate Signing Request (CSR) can either be done on the NetScaler itself or any IIS or webservers.
Let’s assume this is an IIS server and the logical process flow will be –
- Task – Generate CSR with relevant FQDN (*.wildcard.com)
- Submit it to the Certificate Authority (for external – Go Daddy etc..)
- Import the SSL Cert file into IIS and bob’s your uncle.
Hang on, now how do I get this onto the NetScaler!? Just export it… but it’s got a private key and it’s in “.pfx” format!
OpenSSL to the rescue!
The Citrix NetScaler has got a built-in utility called OpenSSL. You’ll need to either use the NetScaler GUI or WinScP to copy the .pfx to the appliance. The default cert location on the NetScaler is /nsconfig/ssl
Once the .PFX file has been uploaded to the above directory. Follow these steps –
- Drop into the NetScaler shell and change directory to /nsconfig/ssl
> shell root@VPX-SiteA# cd /nsconfig/ssl root@VPX-SiteA# pwd /nsconfig/ssl
- Extract the WildCard cert first
root@VPX-SiteA# openssl pkcs12 -in COMPANY-WILDCARD.pfx -clcerts -nokeys -out COMPANY-WILDCARD.pem
Enter Import Password:
MAC verified OK
- Next, extract the Private Key (if there is one!) and enter your private key password that was set originally.
root@VPX-SiteA#openssl pkcs12 -in COMPANY-WILDCARD.pfx -nocerts -out COMPANY-Privkey.key Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
- Now your ready to import these two files (.PEM and .KEY) into your NetScaler