Importing and Replacing certificates on a Netscaler is not always that smooth because of different types and formats of the certificates and private keys.
Let’s say we received a public/private key combination from an official CA in .pfx format. How to import it into your Netscaler.
- If not already present on your system install OpenSSL for Windows (there is also a Linux version if preferred)
- Export the private key file from the pfx file (you wil need to give the pfx-password)
openssl pkcs12 -in filename.pfx -nocerts -out key.pem - Export the certificate file from the pfx file (you will need to give the pfx-password & create a new password for the key-file)
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem - Remove the passphrase from the private key (you will need to enter the generated password from step 3)
openssl rsa -in key.pem -out server.key - Login to the Netscaler GUI
- Navigate in the left pane to “SSL”
- In the right pane click “Manage Certificates / Keys / CSRs”
- Upload the files server.key and cert.pem (make sure not to overwrite files, if needed rename the files and keep the extensions)
- Click “Close”
- In the right pane click “Certificate Wizard”
- Click “Next” and 3 times “Skip”
- Enter a Friendly Display Name
- For Certificate File Name select cert.pem
- For Private Key File Name select server.key
- Leave the rest default and click “Next”, “Finish” and “Exit”
- If everything went fine it should state that the operation was successful
- The certificate is now installed on the Netscaler but not yet bound to a VIP or CAG – VIP. In this example we will show how to replace a certificate on a CAG – VIP
- In the left pane navigate to “Access Gateway” – “Virtual Servers”
- Open the “virtual server” which need to have the new certificate
- Select the new certificate in the left list and click “Add”, select the old certificate on right list and click “Remove”
- Click “OK”, changes are active immediately
- Check the functionality of your CAG
- If everything works fine, navigate in the left pane to : “SSL” – “Certificates”
- Right click the old certificate and click “Remove”
- Click “Save” in the GUI.
- Logoff
- Done!
