Import PFX Certificate to NetScaler VPX

Please refer to the step below on how to import PFX Certificate to NetScaler VPX

Preparation of SSL Certificate
Download LetEncrypt Root & Intermediate Certificate and save it as LetsEncryptRoot.cer & LetsEncryptIntermediate.cer

CitrixVPN-SSL-01

Exported AventisLab.pfx from Windows Server

Upload the SSL Certificate to NetScaler VPX to /nsconfig/ssl with SCP

scp AventisLab.pfx nsroot@121.121.43.51:/nsconfig/ssl
scp LetsEncryptIntermediate.cernsroot@121.121.43.51:/nsconfig/ssl
scp LetsEncryptRoot.cer nsroot@121.121.43.51:/nsconfig/ssl

Login to VPX and extract the Key from PFX

    shell
    cd /nsconfig/ssl

    #Extract the Private Key to AventisLabTempKey.pem
    openssl pkcs12 -in AventisLab.pfx -nocerts -out AventisLabTempKey.pem
    Enter Import Password:
    MAC verified OK
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:

“ERROR: Invalid private key, or PEM pass phrase required for this private key” is displayed if you use the exported key file above

Convert the key again in VPX

    openssl rsa -in AventisLabTempKey.pem -out AventisLabKey.pem

    #Export the Certification Only
    openssl pkcs12 -in AventisLab.pfx -clcerts -nokeys -out AventisLab.pem
    Enter Import Password:
    MAC verified OK

    exit #Back to NetScaler Shell

Import the PEM Certificate

#Replace the XXXXXX with Password to import the key
add ssl certKey AventisLab.com -cert /nsconfig/ssl/AventisLab.pem -key /nsconfig/ssl/AventisLabKey.pem -password XXXXXX -expiryMonitor ENABLED -notificationPeriod 30

#Import the LetEncrypt Root & Intermediate Cert
add ssl certkey LetsEncryptIntermediate -cert LetsEncryptIntermediate.cer
add ssl certkey LetsEncryptRoot -cert LetsEncryptRoot.cer

Link the SSL, Intermediate & Root Certificate

    #Link the Wildcard Cert with Intermediate & Intermediate with Root 
    link ssl certkey AventisLab.com LetsEncryptIntermediate
    link ssl certkey LetsEncryptIntermediate LetsEncryptRoot

Verify the Certs are linked successfully

> sh certlink
1)      Cert Name: AventisLab.com        CA Cert Name: LetsEncryptIntermediate
2)      Cert Name: LetsEncryptIntermediate       CA Cert Name: LetsEncryptRoot
 Done

Leave a Comment