Tuesday, May 10, 2016

Importing PFX certificate from Microsoft Windows Server into Citrix NetScaler VPX

One of the most common Citrix NetScaler questions I’ve been asked by colleagues and clients is how to import a PFX certificate from a Microsoft Windows Server into Citrix NetScaler and while there is a KB from Citrix demonstrating this process via the GUI:

How to Convert PFX Certificate to PEM Format for Use with NetScaler
http://support.citrix.com/article/CTX136444

… there did not appear to be any instructions performing this via the command line so this post serves to demonstrate the process.

Step #1 - Export the certificate to PFX

Begin by logging onto the server with the certificate installed, launch the certificate store (certlm.msc) and export the certificate with the private key as a PFX:

image

imageimage

imageimage

image

Step #2 (Optional) - Export the certificate to CER

Exporting the certificate as a CER file without the private key is optional as you can create the CER file from the PFX file on the NetScaler but if you are performing the export from the Microsoft server, go ahead and create this file as well:

imageimage

Note that you should export the file as Base-64:

imageimage

Step #3 - Upload PFX and CER file

With the files exported, proceed to upload them to the NetScaler’s /nsconfig/ssl directory with either WinSCP or via the web management portal by navigating to Traffic Management > SSL then click on Manage Certificates / Keys / CSRs:

image

Use the Upload button to upload the files:

image

Step #4 (Optional) - CER file

If you’ve exported the certificate without the private key as a .cer file then this step could be skipped but if you had no control over the export and was only given a .pfx file then you can execute the following commands to generate the .cer file on the NetScaler:

shell

cd /nsconfig/ssl

openssl pkcs12 -nokeys -in certificate.pfx -out certificate.cer

image

You should now see a .cer file:

image

Step #5 - Generate .KEY file

The next file we will need to generate is the key file (also known as pem) using the uploaded PFX that contains the private key. Proceed by executing the following commands:

shell

cd /nsconfig/ssl

openssl pkcs12 -nocerts -nodes -in certificate.pfx -out tempcertificate.key -des3

openssl rsa -in tempcertificate.key -out certificate.key

rm tempcertificate.key

image

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

***Note that the reason why we needed to create a tempcertificate.key file is because the following error would be thrown if we do not use the openssl rsa command to remove any hidden space control characters:

ERROR: Invalid private key, or PEM pass phrase required for this private key

image

See the following Citrix Knowledge Base article for more information:

ERROR: "Invalid private key, or PEM pass phrase required for this private key" on NetScaler Appliance
http://support.citrix.com/article/CTX134233

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

The commands displayed above is the equivalent of the operations performed in the GUI demonstrated in the following screenshots:

image

image

Step #6 – Installing Certificate onto the NetScaler

With the .key and .cer file on the NetScaler we can now proceed to install the certificate by executing the following command:

add ssl certKey www-contoso-com -cert certificate.cer -key certificate.key -password P@ssw0rd -expiryMonitor ENABLED -notificationPeriod 30

image

You can view the property details of newly installed certificate by executing the following command:

show ssl certKey www-contoso-com

The commands displayed above is the equivalent of the operations performed in the GUI demonstrated in the following screenshots:

image

image

No comments: