This tutorial shows you how to install an SSL certificate on NetScaler step by step: install the certificate, install and link the intermediate (CA bundle), and bind the certificate to your SSL virtual server.
Note on the name: the product was called NetScaler, rebranded to Citrix ADC in 2018, then renamed back to NetScaler in 2022 under Cloud Software Group. You may still see “Citrix ADC” in older builds and menus, but the steps below are identical for both.
How to generate a CSR code in NetScaler
The CSR (Certificate Signing Request) is a block of encoded text that holds your contact details. You submit it to your Certificate Authority (CA) as part of SSL validation. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR in NetScaler.
Copy the full contents of your CSR file, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, and paste it into your SSL certificate order form. Wait for the CA to validate and issue your certificate. Once the SSL files arrive in your inbox, continue with the installation.
How to install an SSL certificate on NetScaler
To enable SSL on NetScaler you first install the certificate and its intermediate, link them, and then bind the certificate to your virtual server. Work through the steps in order.
Step 1: Prepare your SSL certificate files
Download the ZIP archive your CA sent you and extract it. You should have:
- yourdomain.crt, your primary (end-entity) SSL certificate.
- yourdomain.ca-bundle, the intermediate certificates (the CA bundle).
- yourdomain.key, the private key generated with your CSR.
On NetScaler you upload the intermediate certificate as a separate file and link your primary certificate to it, so keep the two files distinct rather than merging them.
Step 2: Upload the files and install your SSL certificate
- Log in to your NetScaler management console.
- Go to Configuration, expand Traffic Management, and select SSL.
- On the SSL page, under Tools, click Manage Certificates / Keys / CSRs.
- In the file manager, click Upload and import your primary certificate (the .crt file) and the CA bundle (the .ca-bundle file). Upload your private key (.key) here too if it is not already on the appliance.
- Return to Configuration and go to Traffic Management > SSL > Certificates > Server Certificates.
- Click the Install button.
In the Install Server Certificate window, provide the following:
- Certificate-Key Pair Name: a friendly name for this certificate.
- Certificate File Name: click Browse and choose the .crt file you uploaded.
- Key File Name: click Browse and select the private key (.key) generated with the CSR.
- Certificate Format: select PEM.
- Password: leave blank if no passphrase was set on the private key during generation.
- Certificate Bundle: leave this unchecked, since you install the bundle separately in the next step.
- Notify When Expires: enable this to get a reminder before the certificate expires.
- Notification Period: set how many days in advance you want the reminder.
Click Install. Next, install the CA bundle.
Step 3: Install the CA bundle (intermediate)
Go to Traffic Management > SSL > Certificates > CA Certificates and click Install. Fill in only these two fields:
- Certificate-Key Pair Name: a name for the intermediate (CA bundle) certificate.
- Certificate File Name: click Browse and select the .ca-bundle file you uploaded alongside the .crt file.
Click Install.
Note: if you see an error such as “Resource already exists [certkeyName, Contents, Intermediate]”, the CA bundle is already on the appliance. You can ignore the message and continue. Once installed, the intermediate appears in the certificate list under the Certificates section of the SSL menu.
Step 4: Link your SSL certificate to the CA bundle
Linking tells NetScaler to serve the intermediate alongside your certificate so clients can build a complete chain of trust. Skipping this step is the most common cause of “incomplete chain” warnings.
- Go to Traffic Management > SSL > Certificates > Server Certificates and select your primary certificate.
- Open the Action (or Select Action) menu and choose Link.
- On the Link Server Certificate page, in the CA Certificate Name field, select the intermediate (CA bundle) you installed in Step 3.
- Click OK to link the primary certificate to the CA bundle.
On NetScaler 13.0 and later, you can instead click the Link button on the server certificate to auto-link the whole chain when the intermediate and root are already present on the appliance.
Step 5: Bind your SSL certificate to a virtual server
Binding attaches the certificate-key pair to the virtual server that handles HTTPS traffic. This is the step that makes NetScaler actually present the certificate to visitors. For a standard SSL offload setup:
- Go to Traffic Management > Load Balancing > Virtual Servers.
- Select your SSL-type virtual server and click Edit.
- In the Certificates section, click No Server Certificate (or Server Certificate if one is already bound).
- Click Add Binding, then Click to select, choose your newly installed certificate, and click Select. If an old certificate is already bound, confirm the prompt to replace it.
- Click Bind, then Done to finish.
If you run a NetScaler Gateway deployment, bind the certificate to the gateway vServer instead: NetScaler Gateway > Virtual Servers, select your server, click Edit, then bind under Server Certificate the same way.
Congratulations, your SSL certificate is now installed and serving on NetScaler.
Install and bind from the CLI (optional)
If you prefer the command line, connect over SSH (after uploading the files to /nsconfig/ssl/) and run the equivalent commands. Replace the names and file paths with your own:
add ssl certKey yourdomain-cert -cert yourdomain.crt -key yourdomain.key
add ssl certKey yourdomain-ca -cert yourdomain.ca-bundle
link ssl certKey yourdomain-cert yourdomain-ca
bind ssl vserver your_vserver -certkeyName yourdomain-cert
save ns config
Test your NetScaler SSL installation
After installing the certificate, check the configuration for errors or chain problems. Our SSL Checker gives you an instant scan and report on the certificate your server presents, including whether the intermediate is served correctly.
Frequently asked questions
Yes. The product was originally named NetScaler, rebranded to Citrix ADC in 2018, then renamed back to NetScaler in 2022 under Cloud Software Group. Some firmware builds and menus still display “Citrix ADC”, but the SSL installation steps are the same.
In the GUI, go to Traffic Management > SSL > Certificates > Server Certificates and click Install to create a certificate-key pair. Install the intermediate under CA Certificates, link the two, then bind the certificate-key pair to your SSL virtual server.
Yes. Install the CA bundle as a separate certificate, then link it to your primary certificate (select the certificate, then Action > Link). Without the link, NetScaler serves an incomplete chain and some clients show trust warnings.
Installing the certificate is not enough on its own. You also have to bind the certificate-key pair to the virtual server that handles HTTPS, under Traffic Management > Load Balancing > Virtual Servers (or NetScaler Gateway > Virtual Servers for a gateway). Binding is what makes NetScaler present the certificate to visitors.
Yes. Upload the files to /nsconfig/ssl/, then use add ssl certKey to install the certificate and intermediate, link ssl certKey to link them, and bind ssl vserver to bind the certificate to your virtual server. Run save ns config to persist the changes.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


