Like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. Your private key will always be left on the server system where the CSR was originally created. Your SSL certificate will not work without this private key file. We will assume that this is the original system.
To install your SSL certificate on Citrix Netscaler perform the following.
Step 1: Downloading your SSL Certificate & its Intermediate CA certificate:
- If you had the option of server type during enrollment and selected Other you will receive a x509/.cer/.crt/.pem version of your certificate within the email. Alternately you can access your Certificate User Portal by the supplied link in the email to pick up the x509 version of your certificate.
- Copy the SSL certificate and make sure to copy the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– header and footer Ensure there are no white spaces, extra line breaks or additional characters.
- Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .pem
- If your intermediate CA certificate for your product is not in the body of the email you can access your Intermediate CA also in a link within that email. Copy and paste the contents of your Intermediate CA into its own Notepad file and save it with a .pem extension also.
Note: Some CAs may require two intermediates for best compatibility. These two are to be copied within their own corresponding .pem files and installed one at a time in a repeated process for intermediate installation.
Step 2: Uploading your SSL Certificate:
- Log in to the Netscaler console..
- On the Configuration tab, in the tree menu, expand Traffic Management and then click SSL
- Click on the Manage Certificate / Keys / CSRs link.
- Click Upload.
- Select the your SSL certificate (i.e. ssl_certificate.pem, as described in Step 1) you downloaded to the Citrix appliance.
- Click Close.
Step 3: Creating a certificate key pair:
- Expand the SSL node.
- Select the Certificates node.
- On the Certificates page, click Add.
- In the Install Certificate dialogue box, enter the following details:
- Specify a Certificate-Key Pair Name of your choice (e.g. SSLCert).
- Under Certificate File Name.
Click Browse (Appliance) navigate to your SSL certificate saved locally on the Citrix appliance and select the SSL certificate file (e.g./nsconfigl/ssl/ssl_certificate.pem). - Under Private key File Name.
Click Browse (Appliance) to the private key you used for CSR creation (e.g. /nsconfig/ssl/private.key). - Under Password.
Enter the password associated with private key. Note: this will be the same password you used back when you created your private key during CSR creation.
- Click Install.
- Click Close.
Step 4: Install the Intermediate CA Certificate:
- On the NetScaler > Traffic Management > SSL page, under Tools, click Manage Certificates / Keys / CSRs.
- In the Manage Certificates / Keys / CSRs window, click Upload to locate, select, and upload the intermediateCACertificate.pem file.
- In the Install Certificate dialogue box, enter the following details:
- Under Certificate-Key Pair Name.
Specify a name of your choice (e.g. IntermediateCACertificate, as described in Step 1) - Under Certificate File Name
Click Browse (Appliance) to the Intermediate CA certificate saved locally on the Citrix appliance and select the Intermediate CA certificate file (e.g./nsconfig/ssl/IntermediateCA.pem).
- Under Certificate-Key Pair Name.
- Click Install.
- On the SSL Certificates page, select the certificate key pair name (as shown in Step 3: Creating a Certificate Key Pair) to which you want to link the intermediate ca certificate to your SSL Server Certificate. Click on your SSL Cert.
- Click Link.
- From the CA Certificate Name list, select the required intermediate ca certificate IntermediateCACertificate.
Note: You should be able to form a link between the SSL Cert to your intermediate. If you are unable to do so due to an error then double check the formatting of the certificate in notepad make sure it has the required 5 dashes and headers, double check to see if you have the proper intermediate. a wrong intermediate will not link to your server certificate. The intermediate is to only help aid the SSL cert to old dated browsers.
- Click OK.
- To verify if the SSL certificate & Intermediate CA certificate is link successfully, you can check by selecting Cert Links… at the bottom of the Netscaler console.
- Click OK to link the certificates. You should see a dialog box confirming that the certificates were linked successfully.
- Click OK.
- Click Close.
Step 5: Binding your Server certificate to the virtual host:
A lot of times Citrix Netscaler will automatically bind the server certificate to the system automatically if certain conditions are met, such as the old certificate has expired. But sometimes you may have to bind it yourself. You might just want to check your system for a good connection before continuing.
If the certificate needs manual binding perform the following.
- .From the NetScaler console, select NetScaler > Access Gateway > Virtual Servers.
- From the Certificates tab, select the server certificate from the list of Available certificates. Click Add to add the certificate to the Configured list.
- Click OK and save the configuration.
Your SSL certificate is now installed and configured for its website.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports Citrix Netscaler.
Citrix Support
For more information, see Citrix Support website.