Certificates – Citrix ADC 13

Last Modified: Jun 13, 2019 @ 10:04 am

Navigation

💡 = Recently Updated

Change Log

  • Updated screenshots and procedures for ADC 13

Convert .PFX Certificate to PEM Format

You can export a certificate (with private key) from Windows, and import it to Citrix ADC.

To export a Windows certificate in .pfx format

  1. If Windows Server 2012 or newer, on the Windows server that has the certificate, you can run certlm.msc to open the Certificates console pointing at Local Computer.
    1. Or, run mmc.exe, manually add the Certificates snap-in, and point it to Local Computer.
  2. Go to Personal > Certificates.
  3. Right-click the certificate, expand All Tasks, and click Export.
  4. On the Welcome to the Certificate Export Wizard page, click Next.
  5. On the Export Private Key page, select Yes, export the private key, and click Next.
  6. On the Export File Format page, click Next.
  7. On the Security page, check the box next to Password, and enter a new temporary password. Click Next.
  8. On the File to Export page, specify a save location and name the .pfx file. Don’t put any spaces in the filename. Click Next.
  9. In the Completing the Certificate Export Wizard page, click Finish.
  10. Click OK when prompted that the export was successful.

Import a .pfx file to Citrix ADC

Citrix ADC 13 imports .pfx files and uses them in their native encrypted format.

To import the .pfx file:

  1. On the Citrix ADC, expand Traffic Management, and click SSL.
  2. If the SSL feature is disabled, right-click the SSL node, and click Enable Feature.
  3. Go to Traffic Management > SSL > Certificates > Server Certificates.
  4. There are four different certificate nodes:
    1. Server Certificates have private keys. These certificates are intended to be bound to SSL vServers.
    2. Client Certificates also have private keys, but they are intended to be bound to Services so Citrix ADC can perform client-certificate authentication against back-end web servers.
    3. CA Certificates don’t have private keys. The CA certificates node contains intermediate certificates that are linked to Server Certificates. CA certificates can also be used for SAML authentication, and to verify client certificates.
    4. Unknown Certificates list the certificates that don’t fall under the other categories. Some SAML certificates (e.g. Azure) show up here.
  5. On the left, click the Server Certificates node.
  6. On the right, click Install.
  7. Give the certificate (Certificate-Key Pair) a name.
  8. Click the drop-down next to Choose File, select Local, and browse to the .pfx file that you exported earlier.
  9. After browsing to the .pfx file, Citrix ADC will prompt you to enter the Password for the .pfx file. Ignore the Key File Name field.
  10. Then click Install.
  11. If you click the information icon next to the new certificate…
  12. You’ll see that Citrix ADC uses the file in native .pfx format. No PEM conversion.
  13. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or Citrix Gateway Virtual Servers.
  14. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Application Delivery Management (ADM). Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.

To convert PFX to PEM (with Private Key encryption)

If you followed the previous section to import a .pfx in native format, then you can skip this section.

Sometimes you need to convert a .pfx file to PEM format so you can use the PEM certificate on other systems. To use Citrix ADC to convert PFX to PEM, do the following:

  1. In the Citrix ADC Configuration GUI, on the left, expand Traffic Management, and click SSL.
  2. In the right column of the right pane, in the Tools section, click Import PKCS#12.
  3. In the Import PKCS12 File dialog box:
    1. In the Output File Name field, enter a name for a new file where the converted PEM certificate and private key will be placed. This new file is created under /nsconfig/ssl on the Citrix ADC appliance.
    2. In the PKCS12 File field, click Choose File, and browse to the .pfx file.
    3. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    4. By default, the private key in the new PEM file is unencrypted. To encrypt the private key, change the Encoding Format selection to AES256 or DES3. This causes the new PEM file to be password protected, and encrypted.
    5. Enter a permanent password for the new PEM file, and click OK.
  4. You can use the Manage Certificates / Keys / CSRs link to view the new PEM file.

    1. The new file is usually at the bottom of the page.
    2. Right-click the new file, and click View.
    3. Notice that the Private Key is encrypted.
    4. If you scroll down, notice that the file contains both the certificate, and the RSA Private key.
  5. If you want to use this PEM certificate on a different system, then you can right-click the file and Download it.

Install PEM Certificate on Citrix ADC

If you want to bind the PEM certificate to ADC SSL Virtual Servers, then you must first install the PEM certificate. Or you can import a .pfx file in native format as described earlier.

  1. ADC probably won’t import the PEM certificate file if it contains CA certificates. Download the PEM file.

    1. Edit the downloaded file.
    2. Scroll down. Skip the first certificate. Then delete the rest of the certificates in the file. When done, you should have a Private Key and one Certificate (the first one in the file).
    3. Save the file with a new name. You can upload the file, or browse to it later when installing the certificate.
  2. On the left side of the Citrix ADC Configuration GUI, go to Traffic Management > SSLCertificates > Server Certificates.
  3. On the right, click Install.
  4. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
  5. In the Certificate File Name field, click the drop-down next to Choose File, and select Local.
  6. Browse to the PEM file that you downloaded and edited to remove the CA certificates.
  7. Citrix ADC will ask you to enter the Password for the encrypted private key.
  8. Ignore the Key File Name since the converted PEM file contains both the certificate and the key.
  9. Click Install.
  10. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or Citrix Gateway Virtual Servers.
  11. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Application Delivery Management (ADM). Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  12. You can also export the certificate files and use them on a different Citrix ADC.

Create Key and Certificate Request

If you want to create free Let’s Encrypt certificates, see John Billekens’ PowerShell script detailed at Let’s Encrypt Certificates on a NetScaler.

You can create a key pair and Certificate Signing Request (CSR) directly on the Citrix ADC appliance. The CSR can then be signed by an internal, or public, Certificate Authority.

Most Certificate Authorities let you add Subject Alternative Names when creating (or purchasing) a signed certificate, and thus there’s no reason to include Subject Alternative Names in the CSR created on Citrix ADC. You typically create a CSR with a single DNS name. Then when submitting the CSR to the Certificate Authority, you type in additional DNS names.

  • For a Microsoft Certificate Authority, you can enter Subject Alternative Names in the Attributes box of the Web Enrollment wizard.
  • For public Certificate Authorities, you purchase a UCC certificate or purchase a certificate option that lets you type in additional names.

To create a key pair on Citrix ADC

  1. On the left, expand Traffic Management, expand SSL, and click SSL Files.
  2. On the right, switch to the tab named Keys.
  3. Click the button named Create RSA Key.
  4. In the Key Filename box, enter a new filename (e.g. wildcard.key). Key pair files typically have a .key extension.
  5. In the Key Size field, enter 2048 bits.
  6. By default, the private key is unencrypted. To encrypt it, set the PEM Encoding Algorithm drop-down to AES256 or DES3.
  7. Enter a password to encrypt the private key.
  8. Click Create.
  9. The new file is probably at the bottom of the list. Select it and click the button named View.
  10. The Private Key should be encrypted with your chosen encoding algorithm.

To create CSR file

  1. Back in the SSL Files page, on the right, switch to the tab named CSRs.
  2. Click the button named Create Certificate Signing Request (CSR).
  3. In the Request File Name field, enter the name of a new CSR file. CSR files typically have .csr or .txt extension.
  4. In the Key Filename field, click Choose File (Appliance) and select the previously created .key file. It’s probably at the bottom of the list.

  5. If the key file is encrypted, enter the password.
  6. You can optionally change the CSR Digest Method to SHA256. This only applies to the CSR and does not affect the CA-signed certificate.
  7. Citrix ADC 13 lets you specify up to three Subject Alternative Names in the CSR. Some Certificate Authorities ignore this field and instead require you to specify the Subject Alternative Names when purchasing the signed certificate. See CTX232305 How to create a SAN CSR in NetScaler 12.0 57.19.
  8. In the Common Name field, enter the FQDN of the SSL enabled-website. If this is a wildcard certificate, enter * for the left part of the FQDN. This is the field that normally must match what users enter into their browser address bars.
  9. In the Organization Name field, enter your official Organization Name.
  10. Enter IT, or similar, as the Organization Unit.
  11. Enter the City name.
  12. In the State field, enter your state name without abbreviating.
  13. Scroll down and click Create.
  14. The new CSR file is at the bottom of the list. You can select the new .csr file, and click the buttons named View or Download.

Get CSR signed by CA, and install certificate on Citrix ADC

  1. View the CSR file or open the downloaded .csr file with Notepad, and send the contents to your Certificate Authority.

    1. Chrome requires every certificate to have at least one Subject Alternative Name that matches the FQDN entered in Chrome’s address bar. Public CAs will handle this automatically. But for Internal CAs, you typically must specify the Subject Alternative Names manually when signing the certificate.

    2. If the CA asks you for the type of web server, select Apache, or save the CA response as a Base 64 file.
  2. After you get the signed certificate, on the left side of the Citrix ADC Configuration GUI, expand Traffic Management > SSL > Certificates, and click Server Certificates.
  3. On the right, click Install.
  4. In the Certificate-Key Pair Name field, enter a friendly name for this certificate.
  5. In the Certificate File Name field, click the drop-down next to Choose File, and select Local.
  6. Browse to the Base64 (Apache) .cer file you received from the Certificate Authority.
  7. In the Key File Name field, click the drop-down next to Choose File, and select Appliance.
  8. Select the key file you created earlier, and click Open. It’s probably at the bottom of the list.
  9. If the key file is encrypted, enter the password.
  10. Click Install.
  11. The certificate is now added to the list.
  12. You can now link an intermediate certificate to this SSL certificate, and then bind this SSL certificate to SSL and/or Citrix Gateway Virtual Servers.
  13. To automatically backup SSL certificates and receive notification when the certificates are about the expire, deploy Citrix Application Delivery Management (ADM). Also see Citrix CTX213342 How to handle certificate expiry on NetScaler.
  14. You can also export the certificate files and use them on a different Citrix ADC.

Intermediate Certificate

If your Server Certificate is signed by an intermediate Certificate Authority, then you must install the intermediate Certificate Authority’s certificate on the Citrix ADC. This Intermediate Certificate then must be linked to the Server Certificate.

Get the correct intermediate certificate

  1. Log into Windows, and double-click the signed certificate file.
  2. On the Certification Path tab, double-click the intermediate certificate (e.g. Go Daddy Secure Certificate Authority. It’s the one in the middle).
  3. On the Details tab, click Copy to File.
  4. In the Welcome to the Certificate Export Wizard page, click Next.
  5. In the Export File Format page, select Base-64 encoded, and click Next.
  6. Give it a file name, and click Next.
  7. In the Completing the Certificate Export Wizard page, click Finish.

To import the intermediate certificate

  1. In the Citrix ADC configuration GUI, expand Traffic Management, expand SSL, expand Certificates, and click CA Certificates.
  2. On the right, click Install.
  3. Name it Intermediate or similar.
  4. Click the arrow next to Choose File, select Local, and browse to the Intermediate certificate file and open it.
  5. Click Install.

Link Intermediate Certificate to Server Certificate

  1. Go back to Traffic Management > SSL > Certificates >Server Certificates.
  2. On the right, right-click the server certificate, and click Link.
  3. The previously imported Intermediate certificate should already be selected. Click OK.
  4. You might be tempted to link the Intermediate certificate to a Root certificate. Don’t do this. Root certificates are installed on client machines, not on Citrix ADC. Citrix ADC must never send the root certificate to the client device. If you run ssllabs.com against your website, SSL Labs might show Contains anchor. If so, then you linked your intermediate to your root when you shouldn’t have.

Export Certificate Files from Citrix ADC

You can easily export certificate files from the Citrix ADC, and import them to a different Citrix ADC.

  1. In the menu, expand Traffic Management, expand SSL, expand Certificates, and click one of the certificate types.
  2. Move your mouse over the certificate you want to export, and then click the information icon on the far left.
  3. Note the file names. There could be one file name or two file names.
  4. On the left, go to Traffic Management > SSL.
  5. On the right, in the right column, click Manage Certificates / Keys / CSRs.
  6. Find the file(s) in the list, right-click the file, and click Download.
    1. You can only download one file at a time.
    2. In the search area, you can enter “Name:myfilename” to filter the list.
    3. You might have to increase the number of files shown per page, or go to a different page.
  7. Also download the files for any linked intermediate certificate.
  8. You can also use WinSCP to download the SSL certificate files from /nsconfig/ssl.
  9. You can now use the downloaded files to install certificates on a different Citrix ADC.

Replace Management Certificate

You can replace the default management certificate with a new trusted management certificate.

High Availability – When a management certificate is installed on one node of a High Availability pair, the management certificate is synchronized to the other node and used for the other node’s NSIP too. So make sure the management certificate matches the DNS names of both nodes. This is easily doable using a Subject Alternative Name certificate. Here are some SAN names the management certificate should match (note: a wildcard certificate won’t match all of these names):

  • The FQDN for each node’s NSIP. Example: adc01.corp.local and adc02.corp.local
  • The shortnames (left label) for each node’s NSIP. Example: adc01 and adc02
  • The NSIP IP address of each node. Example: 192.168.123.14 and 192.168.123.29
  • If you enabled management access on your SNIPs, add names for the SNIPs:
    • FQDN for the SNIP. Example: adc.corp.local
    • Shortname for the SNIP. Example: adc
    • SNIP IP address. Example: 192.168.123.30

If you prefer to create a separate management certificate for each HA node, then see CTP George Spiers How to secure management access to NetScaler and create unique certificates in a highly available setup.

Request Management Certificate

If you are creating a Subject Alternative Name certificate, it’s probably easiest to request a SAN certificate from an internal CA using the MMC Certificates snap-in on a Windows box.:

  1. Open the MMC certificates snap-in by running certlm.msc on a Windows 2012 or newer machine.
  2. Go to Personal, right-click Certificate, expand All Tasks, and click Request New Certificate.
  3. A web server certificate template should let you specify subject information.
  4. In the top half, change the Subject name > Type drop-down to Common Name. Enter a DNS name, and click Add to move it to the right.
  5. In the bottom half, change the Alternative Name > Type drop-down to either DNS or IP address (v4).
  6. Type in different names or IPs as detailed earlier, and click Add to move them to the right.
  7. Switch to the tab named Private Key.
  8. Expand Key Options, and make sure Mark private key as exportable is checked.
  9. Click OK. Then finish Enrolling the certificate.
  10. Export the certificate and Private Key to a .pfx file.

  11. Then follow one of the procedures below to replace the ADC’s management certificate.

Methods of replacing the Management Certificate

There are two methods of replacing the management certificate:

  • In the Citrix ADC GUI, right-click ns-server-certificate, and click Update. This automatically updates all of the Internal Services bindings too. This method is intended for dedicated management certificates, not wildcard certificates. Notes:
    • You cannot rename the ns-server-certificate in the Citrix ADC GUI. It remains as ns-server-certificate.
    • ns-server-certificate cannot be bound to Virtual Servers, so make sure you are replacing it with a dedicated management certificate.
  • Or manually Bind a new management certificate to each of the Internal Services.

Update Certificate Method

The Update Certificate button method is detailed below:

  1. The Update method doesn’t work with .pfx files so you’ll first have to convert your .pfx to PEM.
    1. In the Citrix ADC Configuration GUI, on the left, expand Traffic Management, and click SSL.
    2. In the right column of the right pane, in the Tools section, click Import PKCS#12.
    3. In the Output File Name field, enter a name for a new file where the converted PEM certificate and private key will be placed. This new file is created under /nsconfig/ssl on the Citrix ADC appliance.
    4. In the PKCS12 File field, click Choose File, and browse to the .pfx file.
    5. In the Import Password field, enter the password you specified when you previously exported the .pfx file.
    6. By default, the private key in the new PEM file is unencrypted. To encrypt the private key, change the Encoding Format selection to AES256 or DES3. This causes the new PEM file to be password protected, and encrypted.
    7. Enter a permanent password for the new PEM file, and click OK.
  2. You can’t update the certificate while connected to the Citrix ADC using https, so make sure you connect using http.
  3. On the left, expand Traffic Management, expand SSL, expand Certificates, and click Server Certificates.
  4. On the right, right-click ns-server-certificate, and click Update.
  5. Check the box next to Click to update the certificate and key.
  6. Click Choose File, and browse to the new PEM (not PFX) management certificate. It could be on the appliance, or it could be on your local machine.
  7. Click Yes to update the certificate.
  8. For the Key File Name, browse to the same PEM certificate file.
  9. If the PEM private key is encrypted, enter the password.
  10. Check the box next to No Domain Check. Click OK.
  11. You can now connect to the Citrix ADC using https protocol. The certificate should be valid (no certificate errors).

Manual Binding Method

The manual Binding to Internal Services method is detailed below:

  1. You can’t update the certificate while connected to the Citrix ADC using https, so make sure you connect using http.
  2. On the left, expand Traffic Management, expand SSL, expand Certificates, and click Server Certificates.
  3. On the right, use the Install button to install the new management certificate, which can be .pfx format, or PEM format.

  4. In the menu, expand Traffic Management, expand Load Balancing, and click Services.
  5. On the right, switch to the tab named Internal Services.
  6. Right-click one of the services, and click Edit.
  7. Scroll down to the Certificate section and click where it says 1 Server Certificate.
  8. Click the button named Add Binding.
  9. In the Select Server Certificate field, click where it says Click to select.
  10. Click the small circle next to the new management certificate and then click the blue Select button at the top of the page.
  11. Click Bind.
  12. Click Close.
  13. If Default SSL Profile is not enabled, then you can modify the SSL Parameters and/or Ciphers on each of these Internal Services to disable SSLv3 and bind stronger ciphers.

  14. Repeat for each of the rest of the internal services. There should be at least 6 services. Additional Internal Services are created for SNIPs that have management access enabled.

Force Management SSL

By default, administrators can connect to the NSIP using HTTP or SSL. This section details how to disable HTTP.

  1. Connect to the NSIP using https.
  2. On the left, expand System, expand Network, and click IPs.
  3. On the right, right-click your NetScaler IP, and click Edit.
  4. Near the bottom, check the box next to Secure access only, and then click OK.

    set ns ip 10.2.2.126 -gui SECUREONLY
  5. Repeat this procedure on the secondary appliance.
  6. Repeat for any SNIPs that have management access enabled.

Also see:

SSL Certificate – Update

There are two options for updating a certificate:

  • Create or Import a new certificate to Citrix ADC > Traffic Management > SSL > Certificates > Server Certificates. Then find all of the places the original certificate is bound, and manually replace the original certificate binding with the new certificate. This method is obviously prone to errors.
    • You can right-click a certificate and click Show Bindings to see where the certificate is being used.
  • On Citrix ADC, simply right-click the existing certificate, and click Update. This automatically updates all of the bindings. Much faster and easier.

To update a certificate using the Update method:

  1. Create an updated certificate, and export it as .pfx file (with private key). Don’t install the certificate onto Citrix ADC yet, but instead, simply have access to the .pfx file.
  2. In Citrix ADC, navigate to Traffic Management > SSL > Certificates > Server Certificates.
  3. On the right, right-click the certificate you intend to update, and click Update.
  4. Check the box next to Update the certificate and key.
  5. Click Choose File > Local, and browse to the updated .pfx file.
  6. For Key File Name, browse to the same .pfx file.
  7. Enter the .pfx file password.
  8. Click OK. This will automatically update every Virtual Server on which this certificate is bound.
  9. Click OK when told that cert links were broken.
  10. Intermediate certificate – After replacing the certificate, you might have to update the cert link to a new Intermediate certificate.
    1. Right-click the updated certificate, and click Cert Links, to see if it is currently linked to an intermediate certificate.
    2. If not, right-click the updated certificate, and click Link, to link it to an intermediate certificate. If it doesn’t give you an option to link it to, then you’ll first have to install the new intermediate certificate on the Citrix ADC.

Certificates can also be updated in Citrix Application Delivery Management (ADM).

Certificates can be updated from the CLI by running update ssl certKey MyCert. However, the certificate files must be stored somewhere on the appliance, and already be in PEM format.

Next Steps

5 thoughts on “Certificates – Citrix ADC 13”

  1. Hi Carl,

    I too tried to import a .pfx file but I still get the key-section in the GUI. I could convert the PFX to PEM and had to extract the key manually to install the certificate (ADC 13.0.41.20.nc). It seems to work this way but way from easy.
    Regards, Stefan

  2. Hi

    trying to install .pfx in server certificates on ADC 13 but the browser spinning and finally nothing installed. (I had tried edge,mozilla, IE)

    Also from CLI after the cert uploaded with WinCSP the commande add cert key didn’t recognize the password field.

    Is something changed on ADC 13 about this? On many previous version I used the same procedure with success

Leave a Reply