Import PFX Certificate to NetScaler VPX

Tutorial on how to import PFX Certificate to NetScaler VPX by following up on Provision Citrix NetScaler VPX with CLI

Let’s Encrypt Root & Intermediate Certificate

Download Let’s Encrypt Root & Intermediate Certificate from https://letsencrypt.org/certificates/ and save it as LetsEncrypt_Root.cer & LetsEncrypt_Intermediate.cer

import pfx certificate to netscaler vpx

Transfer PFX, Root & Intermediate Certificate to NetScaler VPX

Upload the SSL Certificate to NetScaler VPX to /nsconfig/ssl with SCP

scp AVENTIS.pfx [email protected]:/nsconfig/ssl 
scp LetsEncrypt_Intermediate.cer [email protected]:/nsconfig/ssl 
scp LetsEncrypt_Root.cer [email protected]:/nsconfig/ssl

Login to NetScaler VPX to extract Certificate (AVENTIS.crt) & Key File (AVENTIS.key) from AVENTIS.pfx

#Change to shell
>shell
root@ns# cd /nsconfig/ssl

#Extract the private key from PFX 
openssl pkcs12 -in AVENTIS.pfx -nocerts -out AVENTIS.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

#Extract Crt from PFX 
openssl pkcs12 -in AVENTIS.pfx -clcerts -nokeys -out AVENTIS.crt
Enter Import Password:

#Remove the passphase 
openssl rsa -in AVENTIS.pem -out AVENTIS.key
Enter pass phrase for AVENTIS.pem:
writing RSA key

Import PFX Certificate to Netscaler VPX

add ssl certKey AVENTIS -cert /nsconfig/ssl/AVENTIS.pem -key /nsconfig/ssl/AVENTIS.key -password XXXXXX -expiryMonitor ENABLED -notificationPeriod 30

Import the Let’s Encrypt Root & Intermediate Certificate

add ssl certkey LetsEncrypt_Intermediate -cert LetsEncrypt_Intermediate.cer
add ssl certkey LetsEncrypt_Root -cert LetsEncrypt_Root.cer

Link the SSL, Intermediate & Root Certificate

link ssl certkey AVENTIS LetsEncrypt_Intermediate
link ssl certkey LetsEncrypt_Intermediate LetsEncrypt_Root

Verify the imported SSL Certificate is chained with Intermediate & Root Certificate properly

show certlink
1)      Cert Name: AVENTIS       CA Cert Name: LetsEncrypt_Intermediate
2)      Cert Name: LetsEncrypt_Intermediate      CA Cert Name: LetsEncrypt_root

Verify all SSL Certificates are imported successfully in Traffic Management – SSL – Certificate – All Certificate in Web UI

import pfx certificate to netscaler vpx

Replace the Default SSL Certificate for Management Interface

Replace the default selfsigned SSL Certificate with Let’s Encrypt SSL Certificate

> show run | grep ns-server-certificate
add ssl certKey ns-server-certificate -cert ns-server.cert -key ns-server.key
bind ssl service nsrnatsip-127.0.0.1-5061 -certkeyName ns-server-certificate
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certificate
bind ssl service nshttps-::1l-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-::1l-3008 -certkeyName ns-server-certificate
bind ssl service nshttps-127.0.0.1-443 -certkeyName ns-server-certificate
bind ssl service nsrpcs-127.0.0.1-3008 -certkeyName ns-server-certificate
> bind ssl service nshttps-127.0.0.1-443 -certkeyName AventisDev
Warning: Current certificate replaces the previous binding
 Done
> save ns config
 Done

You can access to https://vpx.aventis.dev without any certificate error now.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top