Install IIS certificate on Citrix Netscaler 10.1

In our test environment I recently used an existing SSL Wildcard certificate for making the Netscaler available external, to accomplish this I needed to export the certificate from a IIS server and import the certificate into the Netscaler. When using StoreFront 2.0 which also advises you to use a SSL certificate you also need this certificate imported into the Netscaler.

SSL Export-Import (1)

Exporting the Certificates

To use the exported files we need to export the Certificate two times, one time with the private key and one time without.

1. Right click the certificate and select “All Tasks” then select “Export“. Follow the wizard and choose option ” Yes, export the private key” and continue the wizard. When you don’t get the option to export the private key, the issue a new certificate with the private key export option.

 SSL Export-Import (3)

 2. When you received the option to export the private key, you now should receive the PKCS #12 (.PFX) options, uncheck all the options, click “Next” and choose a password and filename and export the Certificate.  Choose a filename that’s looks like the certificate name, because the netscaler will store the files with the names you choose. When using something like “certificate.pfx” this could get confusing in time.

SSL Export-Import (4)

 After we exported the certificate for the first time we now need to export it again.

4. Right click the certificate and select “All Tasks” then select “Export“. Follow the wizard and choose option “No, do not export the private key” and continue the wizard.

SSL Export-Import (8)

5. Select “Base-64 encoded X.509” and click “Next“, choose a appropriate filename and export the certificate.  

SSL Export-Import (9)

6. Now we have exported the certificates and have two files.

 SSL Export-Import (12)

Importing the Certificates

1. login on the Netscaler Gateway, go to configuration and open the SSL page in the left menu. Now select “Import PKCS #12” under Tools.

SSL Export-Import (13)

2. In the window that just opened file in the “Output File Name” ending with .key, at the “PKCS12 File Name” browse to the exported file on your PC. Type the password you entered during the export and select the “Encoding Format” to “DES3” and than click “OK

SSL Export-Import (14)

3. Now click on the “Manage Certificates / Keys / CSRs” and upload the .cer file. You now have three files on the Netscaler.

SSL Export-Import (15)

4. In the left menu under SSL select “Certificates” and then click “Install

SSL Export-Import (16)

5. Enter the name you like to use in the “Certificate-Key Pair Name”. For the “Certificate File Name” select the .cer file you uploaded. For the “Private Key File Name” select your .key file. Use the password you entered in step 2 and then click “Create“.

SSL Export-Import (17)

6. Now the certificate is installed and can be used for the Netscaler, the certificate above is used for contacting StoreFront server which is also using a SSL certificate.

SSL Export-Import (18)



  • Jop Gommans

    Good stuff Sjoerd! All laid out, detailed and all :)
    Always fighting with the exports/imports, this clarified it a lot, thanks!

    Regards, your old backdoor neighbor (Wieënstraat) ;),
    Jop Gommans

  • Kevin Hill

    Very helpful, thank you