Steps to request an SSL certificate (with IIS) and use it with Citrix NetScaler Access Gateway

 

In Internet Information Services (IIS) Manager
Open Server Certificates
Create Certificate Request
Enter Common name, organization, city, etc.
Choose Microsoft RSA SChannel Crypographic Provider / Bit length: 2048
Specify a file name for the certificate request
Send the request (CSR) to a SSL certificate provider (CA)

After you have received the certificate from the CA, continue with the following steps:

In Internet Information Services (IIS) Manager
Open Server Certificates
Complete Certificate Request
Enter the file name containing the CA’s response (.cer), friendly name, certificate store
Open the certificate in IIS Server Certificates
Click ‘Details’ tab and click ‘Copy to File…’
Select Yes, export the private key
Select Personal Information Exchange – PKCS #12 (.PFX)
– Include all certificates in the certification path if possible
Enter a Password
Specify a file name

Start a Command Prompt (CMD) and browse to the directory where OpenSSL is installed.
Extract the private key from the .pfx file:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
type in the password, twice!
Extract the certificate:
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

For NetScaler you might need to convert your private key to PEM format. You can do so with the following command:
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

In Citrix NetScaler Gateway
Open Configuration \ Traffic Management \ SSL \ Certificates \ Server Certificates
Click Install
Enter Certificate-Key Pair Name* (example your Common Name)
Choose certificate.crt (extracted from .pxf file)
Choose Key File Name (extracted from .pxf file)
Click Install

Bind certificate to Virtual Server
Open Configuration \ NetScaler Gateway \ Virtual Servers
Edit Virtual Server
Bind Server Certificate
Bind CA Certificate(s)
Click Done

Note: Do not forget to install the certificate on your StoreFront server(s) and that the Root CA is known on your client(s).

Leave a Reply

Your email address will not be published. Required fields are marked *