{"id":1589,"date":"2016-12-06T07:08:00","date_gmt":"2016-12-06T07:08:00","guid":{"rendered":"http:\/\/neu.koetzingit.de\/netscaler-und-zertifikate-der-einfach-weg\/"},"modified":"2026-06-02T13:33:15","modified_gmt":"2026-06-02T13:33:15","slug":"netscaler-und-zertifikate-der-einfach-weg","status":"publish","type":"post","link":"https:\/\/www.koetzingit.de\/en\/netscaler-und-zertifikate-der-einfach-weg\/","title":{"rendered":"Netscaler and Certificates: The Easy Way"},"content":{"rendered":"

V<\/span>Many of my clients struggle when it comes to certificates, and I\u2019m just talking about the basics, not the entire PKI. On top of that, Citrix NetScaler is based on Linux, which seems to make things even more difficult. People also tend to overcomplicate things, which then makes it seem almost impossible. It should be normal to understand what you\u2019re doing (at least to some extent), but many just want a step-by-step guide they can follow.<\/p>\n

The above is my explanation of why many people have trouble with Netscaler and certificates. A detailed explanation of the \u201eeasy way\u201c won\u2019t make it look as simple as the step-by-step guide, but once you understand it, it will make the whole process even easier.<\/p>\n

I need to make certain assumptions and require some basic knowledge:\u00a0<\/p>\n

<\/p>\n

    \n
  1. You are primarily a Windows administrator (Linux isn't really your thing)<\/li>\n
  2. You know how to create a certificate request in Windows, for example, in IIS
    Request a server certificate using IIS<\/a>\u00a0(Use 2048-bit length)<\/li>\n
  3. You know how to export certificates using MMC\/IIS
    Export a server certificate using IIS<\/a>\u00a0(Use at least 5 characters for the password)<\/li>\n
  4. Basic Netscaler Knowledge<\/li>\n<\/ol>\n

    \u00a0<\/p>\n

    General Certificate Requirements<\/span><\/h3>\n

    For me, there are two key points when it comes to certificates:<\/p>\n

    A: Always the Fully Qualified Domain Names<\/strong> (FQDN)! such as ctx.dom.com Using the hostname or, worse yet, the IP address is a\u00a0NO WAY!<\/strong>
    B: Use of the current public-key standard with a bit length of 2048-bit<\/strong>.<\/p>\n

    You should know that a higher bit length provides greater security, but on the other hand, it drastically reduces compatibility with other clients, devices, etc. A few years ago, the standard was still 512 bits, but since no one uses Windows 95 or similar systems anymore, it was increased to 2048.
    For example: Citrix NetScaler VPX supports 4096-bit encryption for its own virtual servers but only 2048-bit encryption for back-end systems.\u00a0<\/p>\n

    \u00a0<\/p>\n

    Explanation of the Simple Path<\/span><\/h3>\n

    You can skip the explanation if you don't want to learn anything and scroll down to the step-by-step instructions.<\/p>\n

    Below, I will explain the process. It may seem difficult at first glance, but please take a minute to look at the images and understand the steps. I\u2019ll start from the point after the certificate has been exported as a PFX via IIS or MMC. If you don\u2019t know how to do that, go back to requirements 2 and 3.<\/p>\n

    The process is divided into two parts; the second part is often overlooked but absolutely must be done!\u00a0<\/p>\n

    \u00a0<\/p>\n

    Part One \u2013 The Certificate<\/strong><\/p>\n

    Two steps are required. First, convert the certificate format. The exported PFX file is a Microsoft-based format, and its Linux counterpart is the PKCS#12 format saved in a PEM file. Think of it as converting a JPG image to a PNG image. Since these files contain the private key, the data must be protected with a password (use at least 5 characters). Once the certificate is in the correct format, it can be installed and will be split into a certificate and a private key.<\/p>\n

    Here is a diagram of the process:<\/p>\n

    \"Blogs<\/p>\n

    \u00a0<\/p>\n

    Part Two \u2013 The Certificate Chain<\/strong><\/p>\n

    Hurray! We have a certificate in Netscaler, but does it work properly? It will work for some clients (mainly Windows clients), but others will receive a certificate warning or be unable to connect. Why is that? A certificate comes with a chain that indicates its origin\u2014like a family tree. Typically, your certificate was issued by a root certificate authority (Certificate Authority<\/strong>, (a type of authority) and is referred to as a Root CA for short. There may also be an \u201eintermediary\u201c that has been authorized by the authority; the certificate was obtained from this \u201eintermediary\u201c and is called an intermediate Certificate Authority.<\/p>\n

    The certificate chain for such a certificate would look like this:<\/p>\n

    \u2013 Root CA (Authorized)<\/p>\n

    \u2013 Intermediate CA (Created)<\/p>\n

    \u2013 Server Certificate (Requested by you)<\/p>\n

    \u00a0<\/p>\n

    \"Certs<\/p>\n

    When importing (converting) the certificate, the chain not included<\/strong> and must be done via LINK<\/strong> The certificates can be restored. Use Windows again to export the root and intermediate certificates in DER format. Then simply install the exported certificates in Netscaler. The important part is then \u201elinking\u201c the certificates to rebuild the chain.<\/p>\n

    Done! The certificate can now be bound to any Netscaler vServer.
    \u00a0\u00a0<\/p>\n

    Step-by-step instructions<\/span><\/h3>\n

    Following the explanation, here are the step-by-step instructions:<\/p>\n

    Part I (Import Certificate)<\/strong><\/p>\n

      \n
    1. Export the certificate as a PFX file (minimum 5-character password)<\/li>\n
    2. Export root and intermediate certificates in DER format<\/li>\n
    3. Netscaler: Traffic Management \/ SSL \/ Import PKCS#12<\/strong>
      PKCS#12 file: my.cert_2016.pfx<\/strong>
      Output file name: my.cert_2016.pem<\/strong>
      Encoding Format: DES3<\/strong>
      Password = Passphrase <- can be the same<\/li>\n
    4. Click OK (Conversion complete!!)\n

      \"Ns<\/p>\n<\/li>\n

    5. Netscaler: Traffic Management \/ SSL \/ SSL Certificates \/ Server Certificates<\/strong>
      Certificate File Name: my.cert_2016.pem<\/strong>
      Certificate-Key Pair Name:my.cert_2016<\/strong>
      Password = Passphrase<\/li>\n
    6. Click INSTALL (Done!)\n

      \"Blogs<\/li>\n<\/ol>\n

      \u00a0<\/strong><\/p>\n

      Part II (Combining Certificates)<\/strong><\/p>\n

        \n
      1. Netscaler: Traffic Management \/ SSL \/ SSL Certificates \/ CA Certificates
        <\/strong>Certificate File Name: root.ca.cer<\/strong> (intermediate.ca.cer)
        Certificate-Key Pair Name: root.ca<\/strong> (intermidiate.ca)<\/li>\n
      2. Click INSTALL\n

        \"Blogs<\/p>\n<\/li>\n

      3. Netscaler: Traffic Management \/ SSL \/ SSL Certificates \/ CA Certificates
        <\/strong>Select intermidiate.ca<\/strong>
        Click\u00a0Action<\/strong>\u00a0then select Link<\/strong><\/li>\n
      4. If the correct Root CA certificate is available (installed), it will be selected! Click OK<\/strong>!<\/li>\n
      5. Netscaler: Traffic Management \/ SSL \/ SSL Certificates \/ Server Certificates<\/strong>
        Select my.cert_2016<\/strong>
        Click\u00a0Action<\/strong>\u00a0then select Link<\/strong><\/li>\n
      6. If the appropriate intermediate or root CA certificate is available (installed), it will be selected! Click OK<\/strong>!\n

        \"Blogs<\/li>\n<\/ol>\n

        That's it! Now the certificate can be bound to vServers such as gateways, load balancers, etc.<\/p>\n

        \u00a0<\/p>\n

        Helpful tips along the way<\/span><\/h3>\n
          \n
        • Use at least 5 characters for the password of PFX\/PEM files that contain the private key.<\/li>\n
        • Use a 2048-bit public key; no more, no less<\/li>\n
        • The certificate name should be meaningful and include the date, such as ctx.dom.com_November 2018<\/strong>
          where 11\/2018 is the certificate's expiration date<\/li>\n
        • Back up the certificates from the Netscaler using WinCP or Netscaler's own full backup<\/li>\n
        • Wildcard certificates *.dom.com<\/strong> make life easier in the long run<\/li>\n
        • Every company should have its own certificate authority and use SSL wherever possible!<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"

          Viele meiner Kunden kommen ins Straucheln, wenn es um Zertifikate geht und ich meine nur die Grundlagen und nicht das […]<\/p>\n","protected":false},"author":1755,"featured_media":1582,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[37],"class_list":["post-1589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-understanding-de","tag-netscaler"],"uagb_featured_image_src":{"full":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs.jpg",360,360,false],"thumbnail":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs-150x150.jpg",150,150,true],"medium":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs-300x300.jpg",300,300,true],"medium_large":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs.jpg",360,360,false],"large":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs.jpg",360,360,false],"1536x1536":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs.jpg",360,360,false],"2048x2048":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs.jpg",360,360,false],"trp-custom-language-flag":["https:\/\/www.koetzingit.de\/wp-content\/uploads\/2016\/12\/blogs-ns-certs.jpg",12,12,false]},"uagb_author_info":{"display_name":"Thomas K\u00f6tzing","author_link":"https:\/\/www.koetzingit.de\/en\/author\/thomas-koetzing\/"},"uagb_comment_info":0,"uagb_excerpt":"Viele meiner Kunden kommen ins Straucheln, wenn es um Zertifikate geht und ich meine nur die Grundlagen und nicht das […]","_links":{"self":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts\/1589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/users\/1755"}],"replies":[{"embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/comments?post=1589"}],"version-history":[{"count":1,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts\/1589\/revisions"}],"predecessor-version":[{"id":1887,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/posts\/1589\/revisions\/1887"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/media\/1582"}],"wp:attachment":[{"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/media?parent=1589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/categories?post=1589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.koetzingit.de\/en\/wp-json\/wp\/v2\/tags?post=1589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}