If you are looking for a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the ÃÛÌÒTV® Certificate Utility for Windows. For more information about our utility, see ÃÛÌÒTV® Certificate Utility for Windows.
If you have a Microsoft server or workstation, you can use the ÃÛÌÒTV Certificate Utility to create your CSR and private key. Then after ordering and receiving your SSL Certificate, you use this same utility to import the certificate files to the computer from which you generated the CSR, and then export them as Apache format certificate files.
Next, you use your Citrix NetScaler device interface to upload and install your SSL Certificate, private key, and Intermediate Certificate. Finally, you need use your Citrix NetScaler device interface to bind your SSL Certificate to a virtual server.
If you prefer not to use the ÃÛÌÒTV Utility or for some reason cannot use the utility, see Citrix NetScaler VPX: Create CSR and Install SSL Certificate.
Use these instructions to create your CSR (certificate signing request) and then, to install your SSL and intermediate certificates.
-
To create your CSR, see Citrix NetScaler VPX: Creating Your CSR with the ÃÛÌÒTV Utility.
-
To install your SSL Certificate, see Citrix NetScaler VPX: Using the ÃÛÌÒTV Utility & NetScaler to Install Your SSL Certificate.
These instructions were created using the ÃÛÌÒTV® Certificate Utility for Windows and Citrix NetScaler 10.1 VPX (50). Depending on which version of Citrix NetScaler VPX you are using, you may need to modify the NetScaler parts of these instructions accordingly. For example, in these instructions, the SSL node is a sublevel node to the top level Traffic Management node. In some situations, the SSL node is a top level node.
These instructions may be applicable to the following versions of Citrix NetScaler VPX (10, 50, 200, 1000, and 3000):
- Citrix NetScaler 10.5+ VPX
- Citrix NetScaler 10.1+ VPX
- Citrix NetScaler 10.0+ VPX
- Citrix NetScaler 9.3+ VPX
1. Citrix NetScaler VPX: Creating Your CSR with the ÃÛÌÒTV Utility
The ÃÛÌÒTV® Certificate Utility for Windows streamlines the Citrix NetScaler CSR creation process. Because the utility lets you create the RSA key (private key) during the same process used to create your CSR, you can generate the RSA Key (private key) and the CSR with one click.
NetScaler: How to Create Your CSR Using the ÃÛÌÒTV Certificate Utility
-
On your Windows server or workstation, download and save the ÃÛÌÒTV® Certificate Utility for Windows executable (ÃÛÌÒTVUtil.exe).
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.
-
On the Create CSR page, enter the following information:
Certificate Type: Select SSL. Common Name: Type the name to be used to access the certificate. This name is usually the fully qualified domain name (FQDN). For example, www.yourdomain.com or yourdomain.com Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, type any SANs that you want to include. (i.e. www.example.com, www.example2.com, and www.example3.net) Organization: Type your company¡¯s legally registered name (i.e. YourCompany, Inc.). Department: (Optional) Enter the department within your organization that you want to appear on the SSL Certificate. City: Type the city where your company is legally located. State: In the drop-down list, select the state where your company is legally located. If your company is located outside the USA, you can type the applicable name in the box. Country: In the drop-down list, select the country where your company is legally located. Key Size: In the drop-down list, select 2048. Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, unless you have a specific cryptographic provider. -
When you are finished, click Generate.
-
On ÃÛÌÒTV Certificate Utility for Windows® - Create CSR page, do one of the following, and then, click Close:
Click Copy CSR. Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it. Click Save to File. Saves the CSR as a .txt file to the Windows server or workstation. We recommend that you use this option. -
Use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the ÃÛÌÒTV order form.
Note: During your ÃÛÌÒTV SSL Certificate ordering process, make sure that you select Citrix (Other) when asked to Select Server Software. This option ensures that you receive all the required certificates for Citrix NetScaler Certificate Installation (Intermediate and SSL Certificates).
Ready to Order Your Citrix NetScaler SSL Certificates
Learn More -
After you receive your SSL Certificate from ÃÛÌÒTV, you can install it.
2. Citrix NetScaler VPX: Using the ÃÛÌÒTV Utility & NetScaler to Install Your SSL Certificate
If you have not yet used the ÃÛÌÒTV Certificate Utility to create a CSR and ordered your certificate, see Citrix NetScaler VPX: Creating Your CSR with the ÃÛÌÒTV Utility.
After receiving your SSL Certificate, you need to install it on your NetScaler VPX device and then, you can bind it to your virtual server.
To install and configure your SSL Certificate, do the following:
-
Use the ÃÛÌÒTV Utility to import your SSL Certificate to your Microsoft server or workstation.
How to Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility.
-
Use the ÃÛÌÒTV Utility to export your SSL Certificate, along with its RSA key (private key), and the ÃÛÌÒTVCA Intermediate Certificate in an Apache compatible format.
How to Export Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
-
Install the SSL Certificate on your Citrix NetScaler VPX device.
-
Bind your SSL Certificate to a virtual server.
NetScaler VPX: How to Bind Your SSL Certificate to a Virtual Server
-
(Optional) Delete the SSL Certificate from your server or personal computer.
How to Remove the SSL Certificate from Your Server or Personal Computer
i. How to Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
-
On the Windows server or workstation where you created the CSR, open the ZIP file containing your SSL Certificate and save the contents of the file (i.e. your_domain_name.cer) to the folder where you saved the ÃÛÌÒTV Utility executable (ÃÛÌÒTVUtil.exe).
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), and then, click Import.
-
In the Certificate Import wizard, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that ÃÛÌÒTV sent you, select the file, click Open, and then, click Next.
-
In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example: netscaler.cert-digicert-expiration.date. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To import the SSL Certificate to your server, click Finish.
You should receive a message that the certificate was successfully imported.
-
You should now see your SSL Certificate in the ÃÛÌÒTV Certificate Utility for Windows©, under SSL Certificates.
-
You are now ready to export your SSL Certificate in the Apache format for installing on your Citrix NetScaler VPX device.
ii. How to Export Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
After importing your SSL Certificate to your Microsoft server or workstation, you use the ÃÛÌÒTV Certificate Utility to export your SSL Certificate, its RSA key (private key) and the ÃÛÌÒTVCA Intermediate Certificate in an Apache file format.
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), select the SSL Certificate that you want to export, and then, click Export Certificate.
-
On the Certificate Export page, select Yes, export the private key, then select key file (Apache compatible format), and finally, click Next.
-
Click ¡ to browse to the location where you want to save the .key and .crt files and then, click Save.
Note: The SSL Certificate and ÃÛÌÒTVCA Intermediate Certificate .crt files are .pem formatted; a .crt extension is used instead of the .pem.
-
To export the SSL Certificate, private key, and intermediate certificate, click Finish.
You should receive a message that the certificate was successfully exported.
-
Open the folder where you saved your .key and .crt files and copy the following files to your Citrix NetScaler VPX device:
Private Key: your_domain_com.key
SSL Certificate: your_domain_com.crt
Intermediate Certificate: ÃÛÌÒTVCA.crt -
You are now ready to install your SSL Certificate and its private key and the intermediate certificate to your Citrix NetScaler VPX device.
iii. NetScaler VPX: How to Install Your SSL Certificate
To install your SSL Certificate, you need to install your SSL Certificate, its private key, and the ÃÛÌÒTVCA Intermediate Certificate. Then, link your SSL Certificate to the ÃÛÌÒTVCA Intermediate Certificate.
-
Log into your NetScaler device console.
-
In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management and then click SSL.
-
On the NetScaler > Traffic Management > SSL page, under Tools, click Manage Certificates / Keys / CSRs.
-
In the Manage Certificates / Keys / CSRs window, click Upload to locate, select, and upload the following files:
SSL Certificate: your_domain_com.crt
Private Key: your_domain_com.key
Intermediate Certificate: ÃÛÌÒTVCA.crt -
In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management > SSL and then click Certificates.
-
On the NetScaler > Traffic Management > SSL > SSL Certificates page, click Install.
-
In the Install Certificate window, enter the following information:
Certificate-Key Pair Name* Create a name for the certificate (i.e. Example). Certificate File Name* i. In the Browse drop-down list, select Appliance. ii. Click Browse to browse to and select your SSL Certificate file (i.e. /nsconfig/ssl/your_domain_com.crt). iii. Click Select and then click Open. Key File Name i. In the Browse drop-down list, select Appliance. ii. Click Browse to browse to and select your private key file (i.e. /nsconfig/ssl/your_domain_com.key). iii. Click Select and then click Open. Certificate Format Select PEM. The SSL Certificate .crt file is .pem formatted; a .crt extension is used instead of the .pem. Password N/A (leave blank) Certificate Bundle If you have this option, Do Not check it. Notify When Expires Select Enabled to be notified before your certificate expires. Notification Period Enter the number of days before the certificate expires that you want to be notified. -
When you are finished, click Create and then click Close.
-
On the NetScaler > Traffic Management > SSL > SSL Certificates page, your SSL Certificate is added to the list of certificates.
-
In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management > SSL and then click Certificates.
-
On the NetScaler > Traffic Management > SSL > SSL Certificates page, click Install.
-
In the Install Certificate window, enter the following information:
Certificate-Key Pair Name* Type ÃÛÌÒTVCA. Certificate File Name* i. In the Browse drop-down list, select Appliance. ii. Click Browse to browse to and select the ÃÛÌÒTVCA.crt file (i.e. /nsconfig/ssl/ÃÛÌÒTVCA.crt). iii. Click Select and then click Open. Key File Name N/A (leave blank). Certificate Format Select PEM. The ÃÛÌÒTVCA.crt file is .pem formatted; a .crt extension is used instead of the .pem. Password N/A (leave blank) Certificate Bundle If you have this option, Do Not check it. Notify When Expires Do not check this box. -
When you are finished, click Create and then click Close.
-
On the NetScaler > Traffic Management > SSL > SSL Certificates page, the ÃÛÌÒTVCA intermediate certificate is added to list of certificates.
-
On the NetScaler > Traffic Management > SSL > SSL Certificates page, select your SSL Certificate (i.e. Example) and then in the Actions drop-down list, select Link.
-
In the Link Server Certificate(s) window, in the CA Certificate Name* drop-down list, select ÃÛÌÒTVCA and then, click OK.
Your SSL Certificate is now linked to its intermediate certificate (ÃÛÌÒTVCA.crt).
-
You are ready to bind your SSL Certificate to a virtual server.
-
On the NetScaler > Traffic Management > SSL > SSL Certificates page, select your SSL Certificate (i.e. Example).
-
In the Actions drop-down list, select Cert Links.
-
In the SSL Certificate Links window, the ÃÛÌÒTVCA certificate should be listed as the CA Certificate Name for your SSL Certificate (i.e. Certificate Name: Example and CA Certificate Name: ÃÛÌÒTVCA).
Install Your SSL Certificate and Private Key
Install the ÃÛÌÒTVCA Intermediate Certificate
Link Your SSL Certificate to the Intermediate Certificate
Verify the SSL and Intermediate Certificates Are Linked
iv. NetScaler VPX: How to Bind Your SSL Certificate to a Virtual Server
-
In the NetScaler console, on the Configuration tab, in the tree menu, expand NetScaler Gateway and then click Virtual Servers.
-
On the NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers page, select the virtual server to which you want to bind your certificate and then click Open.
-
In the Configure NetScaler Gateway Virtual Server window, on the Certificates tab, in the Available section, select your SSL Certificate and then click Add.
-
In the Configured section, select the old certificate (i.e. Test) used to configure the virtual server and click Remove.
-
Click OK.
-
On the NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers page, in the upper right corner click the save symbol (diskette).
-
You have successfully installed and configured your Citrix NetScaler SSL Certificate.
Verifying Your Certificate is Configured Correctly
To verify that you correctly configure the SSL Certificate, use https to visit your website.
Test Your Installation
If your website is publicly accessible, our ÃÛÌÒTV® SSL Installation Diagnostics Tool can help you diagnose common problems.
v. How to Remove the SSL Certificate from Your Server or Personal Computer
After you have successfully imported the SSL Certificate to the Citrix NetScaler VPX device, as a security precaution it is recommended that you delete the certificate from your server or workstation.
-
Open the folder where you saved your .key and .cert files on your Microsoft server or workstation and Delete the following files:
Private Key: your_domain_com.key
SSL Certificate: your_domain_com.crt
Intermediate Certificate: ÃÛÌÒTVCA.crt -
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), right-click the SSL Certificate that you exported to your Citrix NetScaler VPX device, and then, click Delete Certificate.
-
In the Confirm Delete ¨C ÃÛÌÒTV Certificate Utility for Windows© window, click Yes.