Product Documentation

Importing and Installing an Existing Certificate

You can import an existing certificate from a Windows-based computer running Internet Information Services (IIS) or from a computer running the Secure Gateway.

When you export the certificate, make sure you also export the private key. In some cases, you cannot export the private key, which means you cannot install the certificate on NetScaler Gateway. If this occurs, use the Certificate Signing Request (CSR) to create a new certificate. For details, see Creating a Certificate Signing Request.

When you export a certificate and private key from Windows, the computer creates a Personal Information Exchange (.pfx) file. This file is then installed on NetScaler Gateway as a PKCS#12 certificate.

If you are replacing the Secure Gateway with NetScaler Gateway, you can export the certificate and private key from the Secure Gateway. If you are doing an in-place migration from the Secure Gateway to NetScaler Gateway, the fully qualified domain name (FQDN) on the application and the appliance must be the same. When you export the certificate from the Secure Gateway, you immediately retire the Secure Gateway, install the certificate on NetScaler Gateway, and then test the configuration. The Secure Gateway and NetScaler Gateway cannot be running on your network at the same time if they have the same FQDN.).

If you are using Windows Server 2003 or Windows Server 2008, you can use the Microsoft Management Console to export the certificate. For more information, see the Windows online Help.

Leave the default values for all the other options, define a password, and save the .pfx file to your computer. When the certificate is exported, you then install it on NetScaler Gateway.

To install the certificate and private key on NetScaler Gateway

  1. In the configuration utility, click the Configuration tab and then in the navigation pane, click NetScaler Gateway.

  2. In the details pane, under Getting Started, click NetScaler Gateway wizard.

  3. Click Next, select an existing virtual server and then click Next.

  4. In Certificate Options, select Install a PKCS#12 (.pfx) file.

  5. In PKCS#12 File Name, click Browse, navigate to the certificate and then click Select.

  6. In Password, type the password for the private key.

    This is the password you used when converting the certificate to PEM format.

  7. Click Next to finish the NetScaler Gateway wizard without changing any other settings.

When the certificate is installed on NetScaler Gateway, the certificate appears in the configuration utility in the SSL > Certificates node.

To create a private Key

  1. In the configuration utility, on the Configuration tab, in the navigation pane, click SSL.

  2. In the details pane, under SSL Keys, click Create RSA Key.

  3. In Key Filename, type the name of the private key or click Browse to navigate to an existing file.

  4. In Key Size (Bits), type the size of the private key.

  5. In Public Exponent Value, select F4 or 3.

    The public exponent value for the RSA key. This is part of the cipher algorithm and is required for creating the RSA key. The values are F4 (Hex: 0x10001) or 3 (Hex: 0x3). The default is F4.

  6. In Key Format, select PEM or DER. Citrix recommends PEM format for the certificate.

  7. In PEM Encoding Algorithm, select DES or DES3.

  8. In PEM Passphrase and Verify Passphrase, type the password, click Create and then click Close.

    Note: To assign a passphrase, the Key Format must be PEM and you must select the encoding algorithm.

To create a DSA private key in the configuration utility, click Create DSA Key. Follow the same steps above to create the DSA private key.

Importing and Installing an Existing Certificate