This tutorial provides step by step instructions on how to generate a CSR Code and install an SSL Certificate on NetScaler. You will also learn a few interesting facts about NetScaler’s, as well as discover the best place to shop for SSL certificates.

How to generate a CSR code in NetScaler?
How to install an SSL Certificate in NetScaler?
Test your NetScaler SSL installation
NetScaler history and versions
Where to buy an SSL Certificate for NetScaler?

How to generate a CSR code in NetScaler?

The CSR (Certificate Signing Request) code contains your contact data in a block of encoded text that you need to submit to your CA (Certificate Authority) as part of SSL validation.

In NetScaler, you must first create an RSA key (private key) and then generate your CSR request.

Create an RSA Key in NetScaler

  1. Log into your NetScaler account
  2. From the top menu, select the Configuration tab, then in the right side tree menu expand Traffic Manager and click SSL
  3. On the main page, navigate to SS Keys and click on Create RSA Key
  4. In the Create RSA Key window, provide the information as shown below:
    • Key Filename*: enter a name for your RSA file. (e.g., key)
    • Key Size(bits)*: the industry standard size is 2048-bit
    • Public Exponent Value: from the drop-down list, select 3, the default value
    • Key Format*: from the drop-down list, select the PEM format
    • PEM Encoding Algorithm: this field is optional. If you leave it blank, you won’t need to submit and confirm a Passphrase in the following fields
    • PEM passphrase: if you’ve selected a DES or DES3 PEM encoding algorithm in the field above, please create a password for your RSA Key
    • Confirm PEM Passphrase: re-enter your password. If you left the PEM Encoding Algorithm field blank, skip this field.
  5. Double check the info you’ve just entered and click OK and then Close.

Create a CSR code in NetScaler

  1. After creating your RSA private key, return to the Netscaler console, and go again to Configuration > Traffic Management > SSL
  2. On the main page locate SSL Certificates and click on Create CSR (Certificate Signing Request)
  3. A new window will open. Please fill in the information as shown below:
    • Request File Name*: enter a name for your CSR file (e.g., csr)
    • Key File Name*: from the Browse drop-down list, select Appliance, then click Browse to locate the RSA key file (key) you’ve just created in the previous steps. Click Select, then Open
    • Key Format: check the PEM option button
    • PEM Passphrase (For Encrypted Key): if your RSA key has a password, enter it here; otherwise, skip this field
  4. Next, complete the Distinguished Name Fields:
    • Country*: from the drop-down list, pick the country where your company is registered
    • Organization Name*: specify your company’s official name. For example, Your Company, Inc.)
    • Email Address: provide a valid email address
    • Common Name: enter the FQDN (fully qualified domain name) that you want to secure with an SSL Certificate. For example,

      Note: If you have a wildcard certificate, include an asterisk in front of the domain name (e.g., *

    • State or Province: write the full name of the state where your company is registered
    • City: enter the full name of the city where your company is located
    • Organization Unit: enter the department in charge of your SSL Certificate. For example, IT or Web Administration
    • Challenge Password: create a password and write it down, you will need it during the SSL installation
    • Company Name: enter your company name, or leave this field blank
  5. Double check the info you’ve just provided and click OK then Close
  6. In the NetScaler console, return to Configuration > Traffic Management > SSL
  7. On the main page, under Tools, select Manage Certificates/Keys/CSRs
  8. In the newly opened window find yoursitenae.csr file and click View
  9. Copy the content of your CSR file, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and past it into your SSL Certificate order form
  10. Wait for CA to approve and sign your certificate. Once you’ve received the SSL files on your inbox, you can continue with the installation.

How to install an SSL Certificate on NetScaler?

To activate the SSL encryption on NetScaler, first, you have to install the certificate, and then bind it to your virtual server.

Prepare your SSL certificate files

Download the ZIP archive folder that your CA sent you, and extract your primary (.crt file)  and intermediate certificates (.ca-bundle file).  You will have to upload the intermediate certificate as a separate file and then link your SSL Certificate to it.

Install your SSL certificate

  1. Log into your NetScaler account
  2. Navigate to Configuration, expand Traffic Management and select SSL
  3. On the main page, under Tools, click Manage Certificate/Keys/CSRs
  4. In the new window, click Upload, and import your primary certificate (the .crt file) and the certificate chain or CA Bundle (the .ca-bundle file).
  5. Return to the Configuration tab in the NetScaler Console, and go to Traffic Management > SSL > Certificate
  6. On the main page, click the Install button
  7. In the Install Certificate window provide the following details:
    • Certificate-Key Pair Name: enter a name for your SSL certificate
    • Certificate File Name: click Browse and choose the .crt file you just uploaded.
    • Key File Name: click Browse to locate your RSA key file (.key) that was generated along with the CSR code.
    • Certificate Format: check the PEM option button
    • Password – leave this field blank if no passphrase was assigned to the Private Key during its generation.
    • Certificate Bundle: do not check this box as you’ll install the bundle separately
    • Notify When Expires: enable this feature to receive notifications when your SSL Certificate is close to the expiry date
    • Notification Period: specify how many days in advance before the certificate expires you want to be notified
  8. Click Install. Now it’s time to upload the CA Bundle.

Install the CA Bundle

  • Go back to Configuration > Traffic Management > SSL > Certificates and click Install.
  • Fill just the following two fields:
    • Certificate-Key Pair Name – enter a name for your intermediate (CA Bundle) certificate.
    • Certificate File Name – click Browse and select the .ca-bundle file you uploaded along with the end-entity certificate (the .crt file) before.

Note: If you receive the following error message: Resource already exists {certkeyName Contents, Intermediate], it means that the CA Bundle is already installed on the server. You can ignore this message and continue with the SSL configuration.

After the intermediate certificate is installed, you can find it in the certificate list of the Certificates section of the SSL tree menu.

Next, you need to link your primary SSL certificate and the CA Bundle.

  1. On the Link Server Certificates page, locate the name of the CA Bundle file in the CA Certificate Name section.
  2. Click OK to connect the primary certificate to the CA Bundle.

Now, all that’s left is to bind your SSL certificate with the Virtual host for successful configuration.

Bind your SSL Certificate to a Virtual Server

  1. In the NetScaler Console, click on the Configuration tab, then expand NetScaler Gateway and click Virtual Servers
  2. Next, on the main page, choose your website from the list of servers and click Edit.
  3. Now, click on Server Certificate to configure binding for the uploaded SSL.
  4. On the pop-up page, click Add Binding. If an old SSL certificate is already bound to the virtual server, you will receive a confirmation to unbind the previous cert. Click yes and continue with the configuration.
  5. On the Add Binding section, click on the Select Server Certificate field and select the newly installed SSL
  6. Click Bind to complete the SSL configuration on Citrix NetScaler VPX.

Congratulations, now you know how to install an SSL Certificate on NetScaler.

Test your NetScaler SSL Installation

After you install an SSL Certificate on NetScaler, it’s important to check your configuration for potential errors or vulnerabilities. You can do this efficiently with the help of high-end SSL tools. Pick software from the linked article, to get instant scans and reports on your SSL Certificate.

NetScaler history and versions

Citrix NetScaler Gateway is a secure application access solution that offers administrators application-level control, enabling users to access the application from anywhere.

Citrix NetScaler Gateway is part of Citrix Systems, Inc large portfolio, an American multinational software company specializing in cloud computing and computer software.

Citrix has purchased several companies including ExpertCity in 2004, NetScaler in 2005, SherFile in 2011, and Sapho in 2018.

Below you’ll find all the major NetScaler Gateway versions:

  • NetScaler Gateway 12
  • NetScaler Gateway 11
  • NetScaler Gateway 10.5
  • NetScaler Gateway 10.1

Where to buy an SSL Certificate for NetScaler?

The best place to get an SSL Certificate for NetScaler is from SSL Dragon. We offer great prices and discounts on the entire range of our SSL products. We’ve carefully selected the best SSL brands on the market to ensure bulletproof protection. All our SSL certificates are compatible with NetScaler. Here are the types of SSL certificates we sell:

To help you choose the perfect SSL certificate, we developed two exclusive SSL tools. Our SSL Wizard needs just a couple of seconds to find the best SSL deal for your website. On the other hand, the Advanced Certificate Filter lets you sort and compare various SSL certificates by price, validation, and features.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.