Skip to main content
John Billekens | Notes from the field

HowTo - NetScaler - Install Certificate

··3 mins
ADC Citrix Netscaler ADC Certificate Citrix Citrix ADC HowTo NetScaler
Author
John Billekens
Technical Consultant | End User Computing

group: “NetScaler”

In this how-to article I will explain the procedure how to install a new certificate on a Citrix NetScaler. Certificates are an important piece in a secure connection from a client to a server.

This article assumes you already have a valid certificate (pfx without the root and intermediate) available with matching password. You can also follow this article to export a certificate with private key to a pfx file from a windows machine.

First login to the NetScaler with enough permissions to install the certificate.

Log in the NetScaler

Next browse to “Traffic Management” (1) / “SSL” (2) / “Certificates” (3) / “All Certificates” (4)

Next click on “Install” to add the new certificate.

Navigate to SSL Certificates

To select the certificate, click on the down “˅” symbol and select “Local”.

An open dialog box will appear and you can select the pfx-file.

Add local pfx

Enter a name for your certificate in the “Certificate-Key Pair Name” field. 

I typically like to use the same name as in the common name of the certificate. I don’t like to add dates or other extra additions. As this can be mis leading next time as you update this certificate.

Select the “Certificate Format” in this case “PEM

Enter the password for the pfx file, this password will be saved in the configuration. The NetScaler will keep the certificate in the pfx format this way.

You can leave the “Notify When Expires” option enabled. This wil only work (notify you) when you have SNMP configured or use an ADM appliance or service.

Finally click “Install” to install the certificate.

Fill all fields

If all goes well, the certificate is added to the list.

Certificate installed

A certificate needs a chain (of trust). In most cases the Root and sometimes the intermediate is already available on your client. There are cases where those are not present. To make sure a full chain is available on the client you can send the intermediate(s) and root to your client by configuring this on the NetScaler.

To make the chain available you first have to add the certificates to the NetScaler. Next you have to bind them together.

The proces is basically the same as with the pfx with the only difference that we don’t specify a key and password.

Enter a “Certificate-Key Pair Name”, same as with the pfx I like to use the Common Name of the intermediate or root.

Select the certificate file and select “Install

Install intermediate and root

Repeat the proces for all intermediate certificate(s) and root certificate.

When all certificates are added we can continue making the link between the intermediate(s) and root.

Select the certificate we added earlier as pfx file and at the end click on the “Link” button.

Enable link

You will be presented with an overview. If the certificate is not yet linked you see missing certificate symbols for the intermediate(s) and root.

Just click the “Link Certificates” button to complete the links.

Create link between certificates

When all goes well, you will see a full (green) line with certificate symbols under the intermediate and root certificate(s).

View linked certificates

And that’s it. You can now bind the certificate to your VIP.

 

 

Related

HowTo - Windows - Export certificate (pfx)

··3 mins
group: “Windows” Certificates are an important part of a modern environment. They make communication safer by encrypting the traffic between the client and server. A safe way to move certificates between servers or store them safely is by exporting the certificate (private and public key) to an encrypted format. A commonly used format is “pfx” (Personal Information Exchange also known as PKCS#12). A pfx file can contain one or more certificates and is encrypted with a password. Without the correct password the pfx is useless. You commonly see that a pfx contains a (web) server certificate and one or more intermediate certificate(s) and a root certificate.

Manipulate the 'NameID' SAML content - part 1

·8 mins
Some companies want to allow other (guest) companies to connect to their environment and for example allow them to open a Citrix Desktop. This can be achieved by Connecting an existing Citrix environment to the guest company via SAML (and yes there are other possibilities). SAML is an authentication method based on a two-way trust. Two Microsoft products that can offer SAML authentication are ADFS (Active Directory Federation Services, an on-premises solution) and the other is and Enterprise App you can configure from the Azure portal. The other requirement is Citrix FAS (Federated Authentication Services). In this article I will show you a way to connect a guest (company) via SAML to allow them access to your Citrix environment without the need for adding the guest companies suffix to your domain. 

Manage Native OTP tokens via Windows

·3 mins
Today I want to release an early (beta) version of a new tool I created, “OTP4ADC” With this tool you can add, remove or change the native OTP tokens used within your Citrix ADC, previously called NetScaler.