Web Interface for Citrix NetScaler – Error “Import SSL certificate failed”

I always create(d) the certificate on a Microsoft IIS Server then exported it as a .pfx import into Citrix NetScaler and let the Citrix NetScaler convert it to a .pem certificate. After this step you can Install the certificate by choosing the same .pem certificate for the Certificate File Name field and Private Key File Name field (see screenshot below). Citrix NetScaler will extract the right certificate from within the .pem file.

image

With some certificates you would have to download the root certificate and link it to the installed certificate.

After this step you can bind the newly installed certificate to the Access Gateway Virtual Server and it will work fine!

However, with the new Citrix Web interface for NetScaler nCore you will get the error statement “Import SSL certificate failed. Following command execution failed: ./export_cert.sh/nsconfig/ssl/portal.example.com.pem” during the creation of Web Interface for Citrix Access Gateway that the certificate failed to import to the Java keystore similar to the one below (ssl certificate file name removed).

export_cert.sh

What happens is that the wizard looks at the Citrix Access Gateway Virtual Server to see which certificate(s) are bound and tries to import these into the JAVA keystore but there seems to be a problem importing combined .pem certificates. When you try to perform this action manually with the keytool utility you will get a “keytool error: java.lang.Exception: Input not an X.509 certificate”.

Resolution

Split the .pem certificate with (for instance) OpenSSL into a Certificate file and a Private Key file, install the certificate into Citrix NetScaler as 2 files, see screenshot below. Bind it to the Access Gateway Virtual Server and re-run the Citrix Web Interface Wizard for the Access Gateway Virtual Server.

Convert the file from .PFX to .PEM:
root@ns# openssl pkcs12 –in portal.example.com.PFX -out portal.example.com.PEM

Open the portal.example.com.pem and save the section from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– into a portal.example.com.key file.

Open the portal.example.com.pem and save the next section from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– into a portal.example.com.crt file.

Open the portal.example.com.pem and save any next —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– into seperate intermediate files.

Upload the newly created certificate files into the Citrix NetScaler / Access Gateway Enterprise to /nsconfig/ssl.

Add the SSL Certificate within the GUI under SSL/Certificates

image

After the SSL Certificate is succesfully added to the NetScaler system it can be bound to the Citrix Access Gateway virtual server. After that run the Citrix Web Interface wizard for Access Gateway again and it will run succesfully.

How to Transfer Certificates from IIS to the NetScaler:
http://support.citrix.com/article/CTX109031

About Henny Louwers
I work as a Consultant specialized in Application Delivery, Virtualization of Servers, Desktops and Apps.

4 Responses to Web Interface for Citrix NetScaler – Error “Import SSL certificate failed”

  1. Jude Xavier says:

    Hi Henny,

    You have mentioned in your document to re-run the Citrix Web Interface Wizard for the Access Gateway Virtual Server.

    We have MPX 5500 NS9.2 and I am not able to find the particular wizard. Any screen shots will be appreciated.

    Cheers,
    Jude

    Like

    • Hi Jude,

      If I’m not mistaken Citrix NetScaler build 9.2 has the Web Interface node under System -> Web Interface. There you can rightclick and select ‘Add’, there should also be an ‘Add’ button under the right pane when you select Web Interface on the left. Any which way will start the Citrix Web Interface wizard.

      Let me know if you can find it.

      Regards,

      Like

  2. Hy im a newby with certificates. So sorry if it sounds a bit stupido but what is the password after i split the pem and import them into the NS. After i come to the step ; “Add the SSL Certificate within the GUI under SSL/Certificates” i have to enter a password but i don’t have one.
    The PEM was already configured on NS, I have a CRT bur the guy that give this cert to me dident have a passwotrd

    Like

    • Daan,

      Sorry for the late response, but the password will be the one when the request was first created. So, bascially the one who has requested the SSL certificate should have the password. If he/she doesn’t know the password anymore then you will probably have to request a new certificate.

      You could try to remove the password from the PEM certificate by using OpenSSL:
      openssl.exe rsa -in privatekey.pem -out private.pem

      Try the basic passwords like ‘password’, ‘12345678’, ‘qwerty’ or no password (blanc) you’ll be amazed how many times those are used🙂.

      Like

%d bloggers like this: