Product Documentation

Converting Certificate from PFX Format to PEM Format

SSL certificates are used for SSL load balancing virtual servers and Citrix Gateway virtual servers. The PEM certificates are Base64 encoded ASCII files. PEM certificates can be opened in Text Editor/Notepad and you will find that they contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

For secure, trusted access you must install an SSL server certificate on the Citrix Gateway server. The uploaded certificate file must have the following characteristics:

  • The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. For best results, use a commercial CA such as VeriSign, Thawte or GeoTrust.

  • The certificate must be in Privacy Enhanced Mail (PEM) format, a text-based format that is a Base64 encoding of the binary Distinguished Encoding Rules (DER) format.

  • The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file.

  • Any necessary intermediate certificates must also be appended to the end of the PEM file.

Complete one of the following procedure to convert PFX certificate to PEM format for use with Citrix Gateway:

Citrix Gateway Wizard Complete the following procedure to convert a PFX certificate to PEM format using Citrix Gateway Wizard:

  1. Navigate to Traffic Management, Select the SSL node.

  2. Click the Import PKCS#12 link.

    localized image

  3. Specify a file name you want for the PEM certificate in the Output File Name field.

  4. Click Browse and select the PFX certificate that you want to convert to PEM format. Some users prefer to upload the certificate to /ncsonfig/SSL directory and use it from there. If PFX certificate is stored on Citrix Gateway then choose option Appliance and if it stored on your workstation then use Local.

    localized image

  5. Specify the Import Password.

  6. Click OK.

    localized image

  7. If the file is encoded, then select DES or 3DES as the Encoding Format:

    localized image

  8. Specify the PEM Passphrase and the Verify PEM Passphrase.

  9. Click the Manage Certificates / Keys / CSRs link to view the converted PEM certificate files.

    localized image

  10. You can view the uploaded PFX file with the converted PEM file.

    localized image

  11. Expand the SSL node.

  12. Select the Certificates node.

  13. Click Install.

  14. Specify a Certificate-Key Pair Name in the Install Certificate wizard.

  15. Browse to the PEM file for both the Certificate File Name and Private Key File Name.

  16. Specify the Password.

  17. Click Install.

    localized image

OpenSSL Utility

If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file. To import this certificate onto Citrix Gateway, you must convert the PFX file to unencrypted PEM format.

You can use the open source utility OpenSSL to perform the conversion from PFX to PEM. Download a Win32 distribution of OpenSSL from Win32 OpenSSL.

You might also need C++ redistributable files if you want to use OpenSSL. Download this from Microsoft Visual C++ 2008 Redistributable Package (x86).

To convert a PFX file to a PEM file, complete the following steps on a Windows machine:

  1. Download and install the Win32 OpenSSL package from Win32 OpenSSL.

  2. Create a folder c:\certs and copy the file yourcert.pfx into the c:\certs folder.

  3. Open command prompt and change into the OpenSSL\bin directory: cd %homedrive%\OpenSSL\bin

  4. Run the following command to convert the PFX file to an unencrypted PEM file (all in one line): openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes

    localized image

  5. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK.

    localized image

  6. Point a browser to the Citrix Gateway administration portal or HTTPS port 9001: https://netscaler-gateway-server:9001.

  7. Log on as root. The default password is rootadmin.

  8. Click the Maintenance link at the top of the page.

  9. Click the Browse button next to the Upload Private Key+Certificate (.pem) field. Browse to the c:\certs\cag.pem file and click Upload.

  10. Restart Citrix Gateway for the new SSL certificate to be applied.

Converting Certificate from PFX Format to PEM Format

In this article