Product Documentation

Importing Existing Certificates and Keys

Nov 11, 2013

If you want to use certificates and keys that you already have on other secure servers or applications in your network, you can export them, and then import them to the NetScaler appliance. You might have to convert exported certificates and keys before you can import them to the NetScaler appliance.

For the details of how to export certificates from secure servers or applications in your network, see the documentation of the server or application from which you want to export.

Note: For installation on the NetScaler appliance, key and certificate names cannot contain spaces or special characters other than those supported by the UNIX file system. Follow the appropriate naming convention when you save the exported key and certificate.

A certificate and private key pair is commonly sent in the PKCS#12 format. The NetScaler supports PEM and DER formats for certificates and keys. To convert PKCS#12 to PEM or DER, or PEM or DER to PKCS#12, see Converting the Format of SSL Certificates for Import or Export.

The NetScaler appliance does not support PEM keys in PKCS#8 format. However, you can convert these keys to a supported format by using the OpenSSL interface, which you can access from the NetScaler command line or the configuration utility. Before you convert the key, you need to verify that the private key is in PKCS#8 format. Keys in PKCS#8 format typically start with the following text:

-----BEGIN ENCRYPTED PRIVATE KEY-----

leuSSZQZKgrgUQ==

-----END ENCRYPTED PRIVATE KEY-----

To open the OpenSSL interface from the command line interface

  1. Open an SSH connection to the appliance by using an SSH client, such as PuTTY.
  2. Log on to the appliance by using the administrator credentials.
  3. At the command prompt, type shell.
  4. At the shell prompt type openssl.

To open the ssl interface from the configuration utility

Navigate to Traffic Management > SSL and, in the Tools group, select OpenSSL interface.

To convert a non-supported PKCS#8 key format to an encrypted supported key format by using the OpenSSL interface

At the OpenSSL prompt, type one of the following commands, depending on whether the non-supported key format is of type rsa or dsa:
  • rsa- in <PKCS#8 Key Filename> -des3 -out <encrypted Key Filename>
  • dsa -in <PKCS#8 Key Filename> -des3 -out <encrypted Key Filename>

To convert a non-supported PKCS#8 key format to an unencrypted key format by using the OpenSSL interface

At the OpenSSL prompt, type the following commands, depending on whether the non-supported key format is of type rsa or dsa:
  • rsa -in <PKCS#8 Key Filename> -out <unencrypted Key Filename>
  • dsa -in <PKCS#8 Key Filename> -out <unencrypted Key Filename>

Parameters for converting an unsupported key format to a supported key format

<PKCS#8 Key Filename>
The input file name of the incompatible PKCS#8 private key.
<encrypted Key Filename>
The output file name of the compatible encrypted private key in PEM format.
<unencrypted Key Filename>
The output file name of the compatible unencrypted private key in PEM format.