NetScaler: Create CSR & Install SSL Certificate (DigiCert Utility)

If you are looking for a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the DigiCert® Certificate Utility for Windows. For more information about our utility, see DigiCert® Certificate Utility for Windows.

If you have a Microsoft server or workstation, you can use the DigiCert Certificate Utility to create your CSR and private key. Then after ordering and receiving your SSL Certificate, you use this same utility to import the certificate files to the computer from which you generated the CSR, and then export them as Apache format certificate files.

Next, you use your Citrix NetScaler device interface to upload and install your SSL Certificate, private key, and Intermediate Certificate. Finally, you need use your Citrix NetScaler device interface to bind your SSL Certificate to a virtual server.

If you prefer not to use the DigiCert Utility or for some reason cannot use the utility, see Citrix NetScaler VPX: Create CSR and Install SSL Certificate.

Use these instructions to create your CSR (certificate signing request) and then, to install your SSL and intermediate certificates.

  1. To create your CSR, see Citrix NetScaler VPX: Creating Your CSR with the DigiCert Utility.

  2. To install your SSL Certificate, see Citrix NetScaler VPX: Using the DigiCert Utility & NetScaler to Install Your SSL Certificate.

These instructions were created using the DigiCert® Certificate Utility for Windows and Citrix NetScaler 10.1 VPX (50). Depending on which version of Citrix NetScaler VPX you are using, you may need to modify the NetScaler parts of these instructions accordingly. For example, in these instructions, the SSL node is a sublevel node to the top level Traffic Management node. In some situations, the SSL node is a top level node.

NetScaler VPX Create RSA Key

These instructions may be applicable to the following versions of Citrix NetScaler VPX (10, 50, 200, 1000, and 3000):

  • Citrix NetScaler 10.5+ VPX
  • Citrix NetScaler 10.1+ VPX
  • Citrix NetScaler 10.0+ VPX
  • Citrix NetScaler 9.3+ VPX
 

1. Citrix NetScaler VPX: Creating Your CSR with the DigiCert Utility

The DigiCert® Certificate Utility for Windows streamlines the Citrix NetScaler CSR creation process. Because the utility lets you create the RSA key (private key) during the same process used to create your CSR, you can generate the RSA Key (private key) and the CSR with one click.

NetScaler: How to Create Your CSR Using the DigiCert Certificate Utility

  1. On your Windows server or workstation, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.

  4. On the Create CSR page, enter the following information:

    Certificate Type: Select SSL.
     
    Common Name: Type the name to be used to access the certificate. This name is usually the fully qualified domain name (FQDN).
      For example, www.yourdomain.com or yourdomain.com
     
    Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, type any SANs that you want to include.
      (i.e. www.example.com, www.example2.com, and www.example3.net)
     
    Organization: Type your company’s legally registered name (i.e. YourCompany, Inc.).
     
    Department: (Optional) Enter the department within your organization that you want to appear on the SSL Certificate.
     
    City: Type the city where your company is legally located.
     
    State: In the drop-down list, select the state where your company is legally located.
    If your company is located outside the USA, you can type the applicable name in the box.
     
    Country: In the drop-down list, select the country where your company is legally located.
     
    Key Size: In the drop-down list, select 2048.
     
    Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider,
      unless you have a specific cryptographic provider.

  5. When you are finished, click Generate.

  6. On DigiCert Certificate Utility for Windows® - Create CSR page, do one of the following, and then, click Close:

    Click Copy CSR. Copies the certificate contents to the clipboard.
    If you use this option, we recommend that you paste the CSR into a tool such as Notepad.
    If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it.
     
    Click Save to File. Saves the CSR as a .txt file to the Windows server or workstation.
      We recommend that you use this option.

  7. Use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.

    Note:    During your DigiCert SSL Certificate ordering process, make sure that you select Citrix (Other) when asked to Select Server Software. This option ensures that you receive all the required certificates for Citrix NetScaler Certificate Installation (Intermediate and SSL Certificates).

    Ready to Order Your Citrix NetScaler SSL Certificates

    Buy Now Learn More

  8. After you receive your SSL Certificate from DigiCert, you can install it.

 

2. Citrix NetScaler VPX: Using the DigiCert Utility & NetScaler to Install Your SSL Certificate

If you have not yet used the DigiCert Certificate Utility to create a CSR and ordered your certificate, see Citrix NetScaler VPX: Creating Your CSR with the DigiCert Utility.

After receiving your SSL Certificate, you need to install it on your NetScaler VPX device and then, you can bind it to your virtual server.

To install and configure your SSL Certificate, do the following:

  1. Use the DigiCert Utility to import your SSL Certificate to your Microsoft server or workstation.

    How to Import Your SSL Certificate Using the DigiCert Certificate Utility.

  2. Use the DigiCert Utility to export your SSL Certificate, along with its RSA key (private key), and the DigiCertCA Intermediate Certificate in an Apache compatible format.

    How to Export Your SSL Certificate Using the DigiCert Certificate Utility

  3. Install the SSL Certificate on your Citrix NetScaler VPX device.

    NetScaler VPX: How to Install Your SSL Certificate

  4. Bind your SSL Certificate to a virtual server.

    NetScaler VPX: How to Bind Your SSL Certificate to a Virtual Server

  5. (Optional) Delete the SSL Certificate from your server or personal computer.

    How to Remove the SSL Certificate from Your Server or Personal Computer

 

i. How to Import Your SSL Certificate Using the DigiCert Certificate Utility

  1. On the Windows server or workstation where you created the CSR, open the ZIP file containing your SSL Certificate and save the contents of the file (i.e. your_domain_name.cer) to the folder where you saved the DigiCert Utility executable (DigiCertUtil.exe).

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Import.

  4. In the Certificate Import wizard, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that DigiCert sent you, select the file, click Open, and then, click Next.

  5. In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

    We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: netscaler.cert-digicert-expiration.date. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

  6. To import the SSL Certificate to your server, click Finish.

    You should receive a message that the certificate was successfully imported.

  7. You should now see your SSL Certificate in the DigiCert Certificate Utility for Windows©, under SSL Certificates.

  8. You are now ready to export your SSL Certificate in the Apache format for installing on your Citrix NetScaler VPX device.

 

ii. How to Export Your SSL Certificate Using the DigiCert Certificate Utility

After importing your SSL Certificate to your Microsoft server or workstation, you use the DigiCert Certificate Utility to export your SSL Certificate, its RSA key (private key) and the DigiCertCA Intermediate Certificate in an Apache file format.

  1. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  2. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL Certificate that you want to export, and then, click Export Certificate.

  3. On the Certificate Export page, select Yes, export the private key, then select key file (Apache compatible format), and finally, click Next.

  4. Click to browse to the location where you want to save the .key and .crt files and then, click Save.

    Note:    The SSL Certificate and DigiCertCA Intermediate Certificate .crt files are .pem formatted; a .crt extension is used instead of the .pem.

  5. To export the SSL Certificate, private key, and intermediate certificate, click Finish.

    You should receive a message that the certificate was successfully exported.

  6. Open the folder where you saved your .key and .crt files and copy the following files to your Citrix NetScaler VPX device:

    Private Key: your_domain_com.key
    SSL Certificate: your_domain_com.crt
    Intermediate Certificate: DigiCertCA.crt

  7. You are now ready to install your SSL Certificate and its private key and the intermediate certificate to your Citrix NetScaler VPX device.

 

iii. NetScaler VPX: How to Install Your SSL Certificate

To install your SSL Certificate, you need to install your SSL Certificate, its private key, and the DigiCertCA Intermediate Certificate. Then, link your SSL Certificate to the DigiCertCA Intermediate Certificate.

  1. Log into your NetScaler device console.

  2. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management and then click SSL.

    NetScaler VPX Console 10.1

  3. On the NetScaler > Traffic Management > SSL page, under Tools, click Manage Certificates / Keys / CSRs.

  4. In the Manage Certificates / Keys / CSRs window, click Upload to locate, select, and upload the following files:

    SSL Certificate: your_domain_com.crt
    Private Key: your_domain_com.key
    Intermediate Certificate: DigiCertCA.crt

    NetScaler VPX Console 10.1

    5.  

    Install Your SSL Certificate and Private Key

  5. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management > SSL and then click Certificates.

    NetScaler VPX Console 10.1

  6. On the NetScaler > Traffic Management > SSL > SSL Certificates page, click Install.

  7. In the Install Certificate window, enter the following information:

    Certificate-Key Pair Name* Create a name for the certificate (i.e. Example).
     
    Certificate File Name* i. In the Browse drop-down list, select Appliance.
    ii. Click Browse to browse to and select your SSL Certificate file (i.e. /nsconfig/ssl/your_domain_com.crt).
    iii. Click Select and then click Open.
     
    Key File Name i. In the Browse drop-down list, select Appliance.
    ii. Click Browse to browse to and select your private key file (i.e. /nsconfig/ssl/your_domain_com.key).
    iii. Click Select and then click Open.
     
    Certificate Format Select PEM.
    The SSL Certificate .crt file is .pem formatted; a .crt extension is used instead of the .pem.
     
    Password N/A (leave blank)
     
    Certificate Bundle If you have this option, Do Not check it.
     
    Notify When Expires Select Enabled to be notified before your certificate expires.
     
    Notification Period Enter the number of days before the certificate expires that you want to be notified.
     

    NetScaler VPX Console 10.1

  8. When you are finished, click Create and then click Close.

  9. On the NetScaler > Traffic Management > SSL > SSL Certificates page, your SSL Certificate is added to the list of certificates.

    NetScaler VPX Console 10.1

    10.  

    Install the DigiCertCA Intermediate Certificate

  10. In the NetScaler console, on the Configuration tab, in the tree menu, expand Traffic Management > SSL and then click Certificates.

    NetScaler VPX Console 10.1

  11. On the NetScaler > Traffic Management > SSL > SSL Certificates page, click Install.

  12. In the Install Certificate window, enter the following information:

    Certificate-Key Pair Name* Type DigiCertCA.
     
    Certificate File Name* i. In the Browse drop-down list, select Appliance.
    ii. Click Browse to browse to and select the DigiCertCA.crt file (i.e. /nsconfig/ssl/DigiCertCA.crt).
    iii. Click Select and then click Open.
     
    Key File Name N/A (leave blank).
     
    Certificate Format Select PEM.
    The DigiCertCA.crt file is .pem formatted; a .crt extension is used instead of the .pem.
     
    Password N/A (leave blank)
     
    Certificate Bundle If you have this option, Do Not check it.
     
    Notify When Expires Do not check this box.
     

    NetScaler VPX Console 10.1

  13. When you are finished, click Create and then click Close.

  14. On the NetScaler > Traffic Management > SSL > SSL Certificates page, the DigiCertCA intermediate certificate is added to list of certificates.

    NetScaler VPX Console 10.1

    15.  

    Link Your SSL Certificate to the Intermediate Certificate

  15. On the NetScaler > Traffic Management > SSL > SSL Certificates page, select your SSL Certificate (i.e. Example) and then in the Actions drop-down list, select Link.

    NetScaler VPX Console 10.1

  16. In the Link Server Certificate(s) window, in the CA Certificate Name* drop-down list, select DigiCertCA and then, click OK.

    Your SSL Certificate is now linked to its intermediate certificate (DigiCertCA.crt).

    NetScaler VPX Console 10.1

  17. You are ready to bind your SSL Certificate to a virtual server.

    18.  

    Verify the SSL and Intermediate Certificates Are Linked

  18. On the NetScaler > Traffic Management > SSL > SSL Certificates page, select your SSL Certificate (i.e. Example).

    NetScaler VPX Console 10.1

  19. In the Actions drop-down list, select Cert Links.

  20. In the SSL Certificate Links window, the DigiCertCA certificate should be listed as the CA Certificate Name for your SSL Certificate (i.e. Certificate Name: Example and CA Certificate Name: DigiCertCA).

    NetScaler VPX SSL Certificates Links

 

iv. NetScaler VPX: How to Bind Your SSL Certificate to a Virtual Server

  1. In the NetScaler console, on the Configuration tab, in the tree menu, expand NetScaler Gateway and then click Virtual Servers.

    NetScaler VPX Console 10.1

  2. On the NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers page, select the virtual server to which you want to bind your certificate and then click Open.

  3. In the Configure NetScaler Gateway Virtual Server window, on the Certificates tab, in the Available section, select your SSL Certificate and then click Add.

    NetScaler VPX Configure NetScaler Gateway Virtual Server

  4. In the Configured section, select the old certificate (i.e. Test) used to configure the virtual server and click Remove.

  5. Click OK.

  6. On the NetScaler > NetScaler Gateway > NetScaler Gateway Virtual Servers page, in the upper right corner click the save symbol (diskette).

    NetScaler VPX Console 10.1

  7. You have successfully installed and configured your Citrix NetScaler SSL Certificate.

    8. Verifying Your Certificate is Configured Correctly

    To verify that you correctly configure the SSL Certificate, use https to visit your website.

Test Your Installation

If your website is publicly accessible, our DigiCert® SSL Installation Diagnostics Tool can help you diagnose common problems.

 

v. How to Remove the SSL Certificate from Your Server or Personal Computer

After you have successfully imported the SSL Certificate to the Citrix NetScaler VPX device, as a security precaution it is recommended that you delete the certificate from your server or workstation.

  1. Open the folder where you saved your .key and .cert files on your Microsoft server or workstation and Delete the following files:

    Private Key: your_domain_com.key
    SSL Certificate: your_domain_com.crt
    Intermediate Certificate: DigiCertCA.crt

  2. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), right-click the SSL Certificate that you exported to your Citrix NetScaler VPX device, and then, click Delete Certificate.

  4. In the Confirm Delete – DigiCert Certificate Utility for Windows© window, click Yes.