ASK SSL Support Desk – Why Can I not Create a PFX From a Citrix Netscaler?

What is Ask SSL Support Desk?
It is a summary of random questions that have one to the attention of Acmetek’s most awesome technical support reps. Answered and shared for the SSL Support Desk’s SSL Library which is designed to teach and educate the community.

TeacherQuestion:
I’m trying to create a pfx file for wildcard cert *.example.com in Citrix Netscaler but I am Failing to do so. Ive crosses checked with the following directions. What am I doing wrong?

http://www.digicert.com/csr-creation-ssl-installation-citrix-netscaler.htm#netscaler_vpx_create_csr

Short Answer:
That is because Citrix Netscaler cannot create pfx files.


Netscaler cannot Create pfx format files.
It creates pem apache format.

Netscaler systems do on the other hand have the ability to import a pfx file, but that pfx file has to be created from a server or application that has the ability to create a pfx. A pfx or also known as a p12 – pkcs#12 is a keystore file that stores the public key – SSL certificate along with the private key and any chaining intermediate CA certificates. Windows IIS/Exchange systems use pfx files for their encryption.

So in a scenario where a wildcard certificate is being used in a organization *.example.com and that SSL Certificate needs to be applied to multiple different systems its best to plan ahead and know what type of SSL Certificate keypair format those systems will need.

If I already know I have a Windows IIS system (using pfx files) that is going to use a wildcard certificate I should first create my csr keypair from the IIS system. After enrolling for an SSL certificate and getting it issued I would install the SSL Certificate back into the IIS system then export the SSL Certificate as a pfx file and then Import the pfx which would contain he private key into the Netscaler.

How to move certificate from Windows to Citrix Netscaler?
https://www.sslsupportdesk.com/move-certificate-windows-citrix-netscaler/

If you think you can create a CSR keypair from a Netscaler and get a pfx file to import into a WIndows IIS system then you are going to have a bad time. Its best to do it the other way around First creating the keypair/csr on windows and then export/import into Netscaler.


Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »