[BUG] Citrix NetScaler Build 51.5: GUI Secure Only not working through SSL/VPN

Citrix NetScaler GUI console reachable through http while “Secure Only” is enabled when using an SSL/VPN connection.

To make sure your NetScaler implementation is compliant with PCI-DSS standards you have to make sure you cannot approach the Management Console in a non-encrypted manner. During my most recent implementations using Build 51.5nc I noticed that although having enabled this option I can still access the GUI through an unencrypted http connection instead of https when connected by an Access Gateway SSL/VPN connection.

Citrix Support has confirmed this bug and is working on a solution.

Web Interface for Citrix NetScaler – Error “Import SSL certificate failed”

I always create(d) the certificate on a Microsoft IIS Server then exported it as a .pfx import into Citrix NetScaler and let the Citrix NetScaler convert it to a .pem certificate. After this step you can Install the certificate by choosing the same .pem certificate for the Certificate File Name field and Private Key File Name field (see screenshot below). Citrix NetScaler will extract the right certificate from within the .pem file.

With some certificates you would have to download the root certificate and link it to the installed certificate.

After this step you can bind the newly installed certificate to the Access Gateway Virtual Server and it will work fine!

However, with the new Citrix Web interface for NetScaler nCore you will get the error statement “Import SSL certificate failed. Following command execution failed: ./export_cert.sh/nsconfig/ssl/portal.example.com.pem” during the creation of Web Interface for Citrix Access Gateway that the certificate failed to import to the Java keystore similar to the one below (ssl certificate file name removed).

What happens is that the wizard looks at the Citrix Access Gateway Virtual Server to see which certificate(s) are bound and tries to import these into the JAVA keystore but there seems to be a problem importing combined .pem certificates. When you try to perform this action manually with the keytool utility you will get a “keytool error: java.lang.Exception: Input not an X.509 certificate”.

Resolution

Split the .pem certificate with (for instance) OpenSSL into a Certificate file and a Private Key file, install the certificate into Citrix NetScaler as 2 files, see screenshot below. Bind it to the Access Gateway Virtual Server and re-run the Citrix Web Interface Wizard for the Access Gateway Virtual Server.

Convert the file from .PFX to .PEM:
root@ns# openssl pkcs12 –in portal.example.com.PFX -out portal.example.com.PEM

Open the portal.example.com.pem and save the section from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– into a portal.example.com.key file.

Open the portal.example.com.pem and save the next section from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– into a portal.example.com.crt file.

Open the portal.example.com.pem and save any next —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– into seperate intermediate files.

Upload the newly created certificate files into the Citrix NetScaler / Access Gateway Enterprise to /nsconfig/ssl.

Add the SSL Certificate within the GUI under SSL/Certificates

After the SSL Certificate is succesfully added to the NetScaler system it can be bound to the Citrix Access Gateway virtual server. After that run the Citrix Web Interface wizard for Access Gateway again and it will run succesfully.

How to Transfer Certificates from IIS to the NetScaler:
http://support.citrix.com/article/CTX109031