CITRIX NETSCALER VPX – CREATE CSR AND INSTALL SSL CERTIFICATE

 

Use these instructions to create your CSR (certificate signing request) and then, to install your SSL and Intermediate Certificates.

These instructions were created using Citrix NetScaler 10.1 VPX (50). Depending on which version of Citrix NetScaler VPX you are using, you may need to modify these instructions accordingly. For example, in these instructions, the SSL node is a sublevel node to the top level Traffic Management node. In some situations, the SSL node is a top level node.

These instructions may be applicable to the following versions of Citrix NetScaler VPX (10, 50, 200, 1000, and 3000):

  • Citrix NetScaler 10.5+ VPX
  • Citrix NetScaler 10.1+ VPX
  • Citrix NetScaler 10.0+ VPX
  • Citrix NetScaler 9.3+ VPX
     
1. CITRIX NETSCALER VPX – CREATE YOUR CSR (CERTIFICATE SIGNING REQUEST)
 

To generate a CSR (certificate signing request), you must first create an RSA key (Rivest, Shamir, and Adleman). Once the RSA key is created, you can generate your CSR (certificate signing request).
 

HOW TO  CREATE AN RSA KEY?

You need to create an RSA Key before you can create your CSR.

1. Log into your NetScaler device console.

2. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management and then click SSL.

3. On the NetScaler > Traffic Management > SSL page, under SSL Keys, click Create RSA Key.

4. In the Create RSA Key window, enter the following RSA key information:

  • Key Filename*: Create a name for your file in which the RSA key is stored, making sure to take note of the name (i.e. example.key).
  • Key Size(bits)*: Enter 2048.
  • Public Exponent Value*: In the drop-down list, select 3 (Hex: 0x3) or F4 (Hex: 0x10001). If you do not have a preference, use the default value. This value is part of the cipher algorithm which is required to create your RSA key.
  • Key Format*: In the drop-down list, select PEM. PEM is the recommended format for your SSL Certificate.
  • PEM Encoding Algorithm: (Optional) In the drop-down list, select the algorithm (DES or DES3) that you want to use to encrypt the generated. RSK key. If you leave this box blank, you are not required to enter a passphrase.
  • PEM Passphrase: (Optional) Enter a passphrase used for encryption, making sure to take note of it for use later. If you left the PEM Encoding Algorithm box blank, you cannot enter a passphrase.
  • Confirm PEM Passphrase: (Optional) Enter your passphrase again. If you left the PEM Encoding Algorithm box blank, you cannot confirm a passphrase.

5. When you are finished, click OK and then click Close. Proceed to creating your CSR.

 

NETSCALER VPX – HOW TO CREATE YOUR CSR
 

After creating an RSA key, you are ready to create your CSR and submit it to a trusted CA and order your SSL certificate.

1. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management and then click SSL.

2. On the NetScaler > Traffic Management > SSL page, under SSL certificates, click Create CSR (Certificate Signing Request).

3. In the Create CSR (Certificate Signing Request) window, enter the following information:

Request File Name*: Create a request file name (i.e. example.csr).

  • Key Filename*:
    1.  In the Browse drop-down list, select Appliance.
    2. Click Browse to browse to and select your RSA key file you created earlier (i.e. example.key).
    3. Click Select and then click Open.
  • Key Format: Select PEM. PEM is the recommended format for your SSL certificate.
  • Key Format*: In the drop-down list, select PEM. PEM is the recommended format for your SSL certificate.
  • PEM Passphrase: (Optional) Enter your passphrase. If you left the PEM Encoding Algorithm box blank when you created your RSA key, (For Encrypted Key) you are not required to enter a passphrase.
     

4. In the Distinguished Name Fields section, enter the following certificate information:

  • Country*: In the drop-down list, select the country where your company is legally located.
  • State or Province*: Enter the state or providence where your company is legally located.
  • Organization Name**: Enter your company’s legally registered name (i.e. YourCompany, Inc.).
  • City: Enter the city where your company is legally located.
  • Email Address: (Optional) Unless you have reason for providing an email address, you can leave this box blank.
  • Organization Unit: (Optional) Enter the department within your organization that you want to appear on the SSL certificate.
  • Common Name: Enter the name to be used to access the certificate. This name is usually the fully qualified domain name (FQDN). For example, www.yourdomain.com or yourdomain.com

5. In the Attribute Fields section, enter the following information:

  • Challenge Password: Enter a password, making sure to take note of it for use later during certificate installation.
  • Company Name: (Optional) Enter your company name (i.e. YourCompany).
     

6. When you are finished, click OK and then Close.

7. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management and then click SSL.

8. On the NetScaler > Traffic Management > SSL page, under Tools, click Manage Certificates / Keys / CSRs.

9. In the Manage Certificates / Keys / CSRs window, select your CSR or request file (i.e. example.csr) and then click View.

10. In the your 'CSR' window (i.e. example.csr), copy the text of your CSR, including the 

—–BEGIN NEW CERTIFICATE REQUEST—– 
and 
—–END NEW CERTIFICATE REQUEST—– 

tags, and paste it into the TRUSTZONE order form.

Note: During your TRUSTZONE SSL certificate ordering process, make sure that you select Citrix (Other) when asked to Select Server Software. This option ensures that you receive all the required certificates for Citrix NetScaler certificate installation (Intermediate and SSL certificates).

11. After you receive your SSL certificate from TRUSTZONE, you can install it.

 

CITRIX NETSCALER VPX – INSTALL YOUR SSL CERTIFICATE
 

After receiving your SSL certificate, you need to install it on your NetScaler VPX device and then, you can bind it to your virtual server.

To install and configure your SSL certificate, do the following:

  • Download your combined SSL and Intermediate Certificate .pem file: How to Download Your Combined SSL and Intermediate Certificate .pem File.

Note: If you selected Citrix (Other) as your server software when you ordered your SSL certificate from TRUSTZONE, the certificate file that we sent you contains both your SSL certificate and the CA Intermediate Certificate and is in the .pem format required for Citrix NetScaler VPX. 

You can simply open the ZIP file containing your SSL certificate that we sent to you, save the SSL certificate file (yourdomain_com.pem) to the Citrix NetScaler VPX device where you generated the CSR, and proceed to the next step: 

  • Install your SSL certificate combined .pem file.
  • Install your SSL Certificate: NetScaler VPX: How to Install Your SSL Certificate
  • Bind your SSL Certificate to a virtual server: NetScaler VPX: How to Bind Your SSL Certificate to a Virtual Server

 

HOW TO DOWNLOAD YOUR COMBINED SSL AND INTERMEDIATE CERTIFICATE .PEN FILE 

 

  • Log into your TRUSTZONE Portal.
  • On the My Orders tab, in the list of your current certificates, select the order number for your new Citrix NetScaler VPX SSL certificate.
  • On the Manage Your…Certificate – Order page, under your Server Certificate image, click Download.

  • In the Download Certificate section, select Other format, in the drop-down list select A single .pem file containing all the certs except for the root, and then, click Download.


     

  • Save your SSL certificate combined .pem file (i.e. yourdomain_com.pem) to your Citrix NetScaler VPX device.

 

NETSCALER VPX – HOW TO INSTALL YOUR SSL CERTIFICATE 
 

1. Log into your NetScaler device console.

2. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management and then click SSL.

3. On the NetScaler > Traffic Management > SSL page, under Tools, click Manage Certificates / Keys / CSRs.

4. In the Manage Certificates / Keys / CSRs window, click Upload to locate, select, and upload your SSL Certificate .pem file (i.e. yourdomain_com.pem).

5. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management > SSL and then click Certificates.

6. On the NetScaler > Traffic Management > SSL > SSL Certificates page, click Install.

7. In the Install Certificate window, enter the following information:

  • Certificate-Key Pair Name*: Create a name for the certificate (i.e. Example).
  • Certificate File Name*:
    1.  In the Browse drop-down list, select Appliance.
    2. Click Browse to browse to and select your SSL certificate file (i.e. /nsconfig/ssl/yourdomain_com.pem).
    3. Click Select and then click Open.
  • Key File Name:
    1.  In the Browse drop-down list, select Appliance.
    2. Click Browse to browse to and select your RSA key file (i.e. /nsconfig/ssl/example.key) that you created.
    3. Click Select and then click Open.
     
  • Certificate Format: Select PEM.
  • Password: Enter the password that you used when creating your CSR.
  • Certificate Bundle: Check this box. If you do not have the Certificate Bundle feature, finish installing your SSL certificate. Then, follow the instructions in the Certificate Bundle Note.
  • Notify When Expires: Select Enabled to be notified before your certificate expires.
  • Notification Period: Enter the number of days before the certificate expires that you want to be notified.

8. Click Create and then click Close.

9. On the NetScaler > Traffic Management > SSL > SSL certificates page, your SSL and Intermediate Certificates are added to the list of certificates.

Your SSL certificate is listed by the name that you created for it during installation (i.e. Example) and the Intermediate Certificate is listed by that same name with _ic1 appended to it (i.e. Example_ic1). If you do not have the Certificate Bundle option, you see only your SSL certificate (i.e. Example).

Certificate Bundle Note: If you do not have the Certificate Bundle feature, you need to install the Intermediate Certificate before binding your SSL certificate to a virtual server. See below how to Install the Intermediate Certificate.

 

HOW TO VERIFY THE SSL AND INTERMEDIATE CERTIFICATES ARE LINKED
 

1. On the NetScaler > Traffic Management > SSL > SSL Certificates page, select your SSL certificate (i.e. Example).

2. In the Actions drop-down list, select Cert Links.

3. In the SSL certificate Links window, the _ic1 certificate should be listed as the CA Certificate Name for your SSL Certificate (i.e. Certificate Name: Example and CA Certificate Name: Example_ic1).

 

NETSCALER VPX – HOW TO BIND YOUR SSL CERTIFICATE TO A VIRTUAL SERVER

 

1. In the NetScaler console, on the Configuration tab, in the tree menu, expand NetScaler Gateway and then click Virtual Servers.


 

2. On the NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers page, select the virtual server to which you want to bind your certificate and then click Open.

3. In the Configure NetScaler Gateway Virtual Server window, on the Certificates tab, in the Available section, select your SSL certificate and then click Add.


 

4. In the Configured section, select the old certificate (i.e. Test) used to configure the virtual server and click Remove.

5. Click OK.

6. On the NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers page, in the upper right corner click the save symbol (diskette).

7. You have successfully installed and configured your Citrix NetScaler SSL certificate.

 

VERIFYING YOUR CERTIFICATE IS CONFIGURED CORRECTLY

To verify that you correctly configure the SSL Certificate, use https to visit your website.

 
TEST YOUR INSTALLATION 

If your website is publicly accessible, our TRUSTZONE SSL Labs can help you diagnose common problems.

 

TROUBLESHOOTING 
 
  • ‘Not sending intermediate certificate’ Error

If you received a ‘Not sending intermediate certificate’ error, you need to install the CA Intermediate Certificate as a separate file and link your SSL certificate to it.

  • No Certificate Bundle Feature

If your Citrix NetScaler VPX console does not contain the Certificate Bundle feature you need to install the CA Intermediate Certificate as a separate file and link your SSL certificate to it.

 

HOW TO DOWNLOAD THE INTERMEDIATE CERTIFICATE FOR CITRIX NETSCALER
 

Find your Intermediate and Root CA certificates to complete the installation of Citrix NetScaler VPX. 

Last updated: August 16, 17