Tuesday, June 5, 2012

Recreating SSL certificate on a Citrix NetScaler VPX 1000 with the private key and CA issued certificate crt file

I’ve come across an issue over the past few months where the SSL certificate issued by a public CA has gone missing due to various reasons and since I had to reference my notes, I thought it would be worth while blogging this in case I ever need to do it again in the future.  As most NetScaler administrators would know, obtaining an SSL certificate issued by a public Certificate Authority requires generating a private key file with the .key extension and a file with the .csr on the NetScaler, submit the CSR file to a public CA, then obtain the .crt file to complete generating the certificate.  All 3 of these files are ultimately copied onto the NetScaler appliance so assuming you haven’t deleted them, all you need to do is open up the Access Gateway VPX’s administrative console, navigate to SSL –> Certificates:


Right click on the window on the right and select Install:


You will then be presented with the following window:


Note the following fields to be entered:

Certificate-Key Pair Name – This is just a logical name you give to the certificate so name it as the name you like.

Certificate File Name – This is the crt file that you downloaded from your public CA after submitting the CSR.

Private Key File Name – This is the .key file that you created when generating a private key for your NetScaler VPX appliance.

Password – This is the password you created during generating the keys.


Once you’ve filled out the fields as shown above, proceed by clicking the Install button and you should now see your certificate:



Note that if you encounter the following error during the install:

Certificate with key size greater than RSA512 or DSA512 bits not supported


… it can mean that you have a licensing issue on your NetScaler.  Check the licenses on your NetScaler to ensure none of them are labeled as invalid.

One of the ways to check is to SSH over to the NetScaler VPX, type the following:

cd /var/log
cat license.log


Notice how I’m seeing some license errors in the screenshot below:


1 comment:

RajKris said...

Great stuff, thank you