Contact us at |support@ssldragon.com
  • install an ssl certificate on netscaler

How to install an SSL Certificate on NetScaler?

Thursday, February 28th, 2019

This tutorial provides step by step instructions on how to generate a CSR Code and install an SSL Certificate on NetScaler. You will also learn a few interesting facts about NetScaler’s, as well as discover the best place to shop for SSL certificates.

Note: This guide uses Citrix NetScaler 10.1 VPX (50) for demonstration purposes. Depending on your version of NetScaler, you may need to adjust these instructions accordingly

How to generate a CSR code in NetScaler?
How to install an SSL Certificate in NetScaler?
Test your NetScaler SSL installation
NetScaler history and versions
Where to buy an SSL Certificate for NetScaler?

How to generate a CSR code in NetScaler?

The CSR (Certificate Signing Request) code contains your contact data in a block of encoded text that you need to submit to your CA (Certificate Authority) as part of SSL validation.

In NetScaler, you must first create an RSA key (private key) and then generate your CSR request.

Create an RSA Key in NetScaler

  1. Log into your NetScaler account
  2. From the top menu, select the Configuration tab, then in the right side tree menu expand Traffic Manager and click SSL
  3. On the main page, navigate to SS Keys and click on Create RSA Key
  4. In the Create RSA Key window, provide the information as shown below:
    • Key Filename*: enter a name for your RSA file. (e.g., key)
    • Key Size(bits)*: the industry standard size is 2048-bit
    • Public Exponent Value: from the drop-down list, select 3, the default value
    • Key Format*: from the drop-down list, select the PEM format
    • PEM Encoding Algorithm: this field is optional. If you leave it blank, you won’t need to submit and confirm a Passphrase in the following fields
    • PEM passphrase: if you’ve selected a DES or DES3 PEM encoding algorithm in the field above, please create a password for your RSA Key
    • Confirm PEM Passphrase: re-enter your password. If you left the PEM Encoding Algorithm field blank, skip this field.
  5. Double check the info you’ve just entered and click OK and then Close.

Create a CSR code in NetScaler

  1. After creating your RSA private key, return to the Netscaler console, and go again to Configuration > Traffic Management > SSL
  2. On the main page locate SSL Certificates and click on Create CSR (Certificate Signing Request)
  3. A new window will open. Please fill in the information as shown below:
    • Request File Name*: enter a name for your CSR file (e.g., csr)
    • Key File Name*: from the Browse drop-down list, select Appliance, then click Browse to locate the RSA key file (key) you’ve just created in the previous steps. Click Select, then Open
    • Key Format: check the PEM option button
    • PEM Passphrase (For Encrypted Key): if your RSA key has a password, enter it here; otherwise, skip this field
  4. Next, complete the Distinguished Name Fields:
    • Country*: from the drop-down list, pick the country where your company is registered
    • Organization Name*: specify your company’s official name. For example, Your Company, Inc.)
    • Email Address: provide a valid email address
    • Common Name: enter the FQDN (fully qualified domain name) that you want to secure with an SSL Certificate. For example, yoursite.com

      Note: If you have a wildcard certificate, include an asterisk in front of the domain name (e.g., *.yoursite.com)

    • State or Province: write the full name of the state where your company is registered
    • City: enter the full name of the city where your company is located
    • Organization Unit: enter the department in charge of your SSL Certificate. For example, IT or Web Administration
    • Challenge Password: create a password and write it down, you will need it during the SSL installation
    • Company Name: enter your company name, or leave this field blank
  5. Double check the info you’ve just provided and click OK then Close
  6. In the NetScaler console, return to Configuration > Traffic Management > SSL
  7. On the main page, under Tools, select Manage Certificates/Keys/CSRs
  8. In the newly opened window find yoursitenae.csr file and click View
  9. Copy the content of your CSR file, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and past it into your SSL Certificate order form
  10. Wait for CA to approve and sign your certificate. Once you’ve received the SSL files on your inbox, you can continue with the installation.

How to install an SSL Certificate on NetScaler?

To activate the SSL encryption on NetScaler, first you have to install the certificate, and then bind it to your virtual server.

Prepare your SSL certificate files

Download the ZIP Archive folder that your CA sent you, and extract your primary and intermediate certificates. Depending on your SSL provider, you may have a single file in .pem format containing both the primary and intermediate certificates, or two separate files: your SSL Certificate, and the CA Bundle.

If you’ve received two separate SSL files, you will have to upload the intermediate certificate as a separate file and then link your SSL Certificate to it.

During the installation, you may receive an error, or a feature may not be available:

  • Not sending intermediate certificate error which you can avoid by installing the intermediate certificate as a separate file and link your SSL certificate to it
  • No Certificate Bundle Feature; refer to Install the Intermediate Certificate section

Combined primary and intermediate certificate file

  1. Log into your NetScaler account
  2. Navigate to Configuration, expand Traffic Management and select SSL
  3. On the main page, under Tools, click Manage Certificate/Keys/CSRs
  4. In the new window, click Upload, and import your SSL Certificate .pem file (e.g., yoursitename_com.pem)
  5. Return to the Configuration tab in the NetScaler Console, and go to Traffic Management > SSL > Certificate
  6. On the main page, click the Install button
  7. In the Install Certificate window provide the following details:
    • Certificate-Key Pair Name*: enter a name for your SSL certificate
    • Certificate File Name*: from the Browse drop-down list choose Appliance and click Browse to select your SSL Certificate (pem). Click Select, then Open
    • Key File Name*: from the Browse drop-down list choose Appliance, and click Browse to locate your RSA key file (key). Click Select, then Open.
    • Certificate Format: check the PEM option button
    • Certificate Bundle: check this box

      Note: If you don’t have the Ca-Bundle feature, continue installing the SSL Certificate then follow the instructions on the intermediate certificate.

    • Notify When Expires: enable this feature to receive notifications when your SSL Certificate is close to the expiry date
    • Notification Period: specify how many days in advance before the certificate expires you want to be notified
  8. Click Create and the Close
  9. Go to Configuration > Traffic Management > SSL > Certificates and check your SSL Certificates. You should have your primary cert (yoursitename) and intermediate certificate (yoursitename_ic1). If you see only your SSL Certificate (yoursitename) don’t worry. We show you how to add the intermediate certificate in a later section.

Check if your SSL and Intermediate Certificate are linked

  1. In NetScaler, on Configuration > Traffic Management > SSL > Certificates, select your primary SSL Certificate (e.g, yoursitename)
  2. From the Action drop-down list, choose Cert Links
  3. In the new SSL Certificate Links window, you should find your primary cert listed under Certificate Name, and the intermediate certificate, with _ic1 termination listed under CA Certificate Name.

Bind your SSL Certificate to a Virtual Server

  1. In the NetScaler Console, click on Configuration tab, then expand NetScaler Gateway and click Virtual Servers
  2. Next, on the main page, choose the virtual server to which you want to bind your SSL Certificate and hit Open
  3. In the new window click the Certificates tab, and in the right side Available section, select your primary SSL Certificate and press Add
  4. In the left side Configure section, select the old certificate and click Remove to delete it, then hit OK.

On the NetScaler Gateway Virtual Servers page, hover your mouse on the upper right corner and click the save icon (It looks like a floppy disk).

Congratulations, now you know how to install an SSL Certificate on NetScaler.

Install the Intermediate Certificate

If you’ve received your primary and intermediate SSL certificates in a single, combined file, skip this section, and start testing your SSL installation.

  1. Access your NetScaler device console
  2. Go to Configuration > Traffic Management > SSL
  3. Under Tools, select Manage Certificates/Keys/CSRs
  4. In the new window, click Upload to import the intermediate SSL Certificate
  5. Return to Configuration > Traffic Management > SSL and click Certificates
  6. On the new page, click Install and provide the following info:
    • Certificate-Key Pair Name*: type the name of your intermediate certificate file
    • Key File Name: leave this field blank
    • Certificate Format: chose PEM format
    • Password: leave this field blank
    • Certificate Bundle: if you see this option don’t check this box
    • Notify When Expires: don’t check this box
  7. Click Create, then Close.

Link your primary SSL Certificate to the Intermediate Certificate

  1. On NetScaler, go to Configuration > Traffic Management > SSL > Certificates
  2. Select your primary SSL Certificate, and from the Actions drop-down list, select Link
  3. A new window will pop up. From the CA Certificate Name drop-down list, select your intermediate certificate and click OK
  4. You’ve successfully linked your primary certificate to its intermediate. To bind your SSL Certificate to the virtual server, refer to the Bind your SSL Certificate to a Virtual Server section.

Test your NetScaler SSL Installation

After you install an SSL Certificate on NetScaler, it’s important to check your configuration for potential errors or vulnerabilities. You can do this efficiently with the help of high-end SSL tools. Pick software from the linked article, to get instant scans and reports on your SSL Certificate.

NetScaler history and versions

Citrix NetScaler Gateway is a secure application access solution that offers administrators application-level control, enabling users to access the application from anywhere.

Citrix NetScaler Gateway is part of Citrix Systems, Inc large portfolio, an American multinational software company specializing in cloud computing and computer software.

Citrix has purchased several companies including ExpertCity in 2004, NetScaler in 2005, SherFile in 2011, and Sapho in 2018.

Below you’ll find all the major NetScaler Gateway versions:

  • NetScaler Gateway 12
  • NetScaler Gateway 11
  • NetScaler Gateway 10.5
  • NetScaler Gateway 10.1

Where to buy an SSL Certificate for NetScaler?

The best place to get an SSL Certificate for NetScaler is from SSL Dragon. We offer great prices and discounts on the entire range of our SSL products. We’ve carefully selected the best SSL brands on the market to ensure bulletproof protection. All our SSL certificates are compatible with NetScaler. Here are the types of SSL certificates we sell:

To help you choose the perfect SSL certificate, we developed two exclusive SSL tools. Our SSL Wizard needs just a couple of seconds to find the best SSL deal for your website. On the other hand, the Advanced Certificate Filter lets you sort and compare various SSL certificates by price, validation, and features.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.