Windows servers use .pfx/.p12 files to contain the public key file (SSL Certificate) and its unique private key file. The Certificate Authority (CA) provides you with your SSL Certificate (public key file). You use your server to generate the associated private key file where the CSR was created.

You need both the public key and private keys for an SSL certificate to work properly on any system. Windows uses the pfx/p12 file to contain these two keys; therefore, if you need to transfer your SSL certificate from one server to another or store it someplace for safe keeping you need to create a .pfx backup.

Citrix Netscaler is an Apache type system that uses pem/x509 certificate formates for encryption and is not compatible with pfx/pkcs12 keypairs. A conversion must be done in order to bring the certificate and private key into a format that Citrix Netscaler will understand.
Note: It might be faster and easier to just generate a new CSR private key pair from the Citrix system > Perform a reissue of the certificate using the new CSR > Then install the new reissued certificate back into the Citrix system. CSR generation instructions for Citrix Netscaler are located here.

To backup, export, and move a SSL/TLS certificate from a Windows system with its private key to a Citrix Netscaler perform the following.

Step 1:  Create an MMC Snap-in for Managing Certificates on the Windows system:

  1. Start > run > MMC.
  2. Go into the Console Tab > File > Add/Remove Snap-in.
  3. Click on Add > Click on Certificates and click on Add.
  4. Choose Computer Account > Next.
    mmc export
  5. Choose Local Computer > Finish.
    mmc export
  6. Close the Add Standalone Snap-in window.
  7. Click on OK at the Add/Remove Snap-in window.

Step 2: Export/Backup certificate to .pfx file:

  1. In MMC Double click on Certificates (Local Computer) in the center window.
  2. Double click on the Personal folder, and then on Certificates.
  3. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
  4. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
    mmc export
  5. Choose to ‘Yes, export the private key
    mmc export
  6. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
    mmc export
  7. Enter a password you will remember.
  8. Choose to save file on a set location.
  9. Click Finish.
    mmc export
  10. You will receive a message > “The export was successful.” > Click OK.The .pfx file backup is now saved in the location you selected and is ready to be moved or stored for your safe keeping.

You have now successfully exported your pfx/pkcs12 file from your Windows system. You can now move it to your Citrix Netscaler Appliance.

Step 3: Converting your Windows pfx/pkcs12 file into Apache pem/x509 format:

  1. Log in to the Netscaler console..
  2. On the Configuration tab, in the tree menu, expand Traffic Management and then click SSL
  3. Under Tools Click Import PKCS#12
    This tool is a converter tool built into Citrix. It will not magically import your pfx file. 
    Import Pkcs12 citrix
  4. A Import PKCS12 window will pop up.
    1. Under Output File Name:
      Click Browse.. and specify a file name and path to where you want this file stored.
    2. Under PKCS12 File Name:
      Click Browse.. and navigate & open your .pfx file that you exported off your Windows system.
    3. Under Import Password*
      Specify the password that you used when you exported your .pfx file off your windows system.
    4. Click Ok.
      PFX to PEM citrix converter tool
  5. What should of happened is that in the  location and path you specified under Output File Name you should see the file. Open this in Notepad.
  6. The top part of this file is your private key. You will literally have to copy (ctrl +c) from the —–begin rsa private key all the way to end rsa private key —– and paste (crtl + v) the contents of this private key into its own Notepad file. Save this notepad file something unique such as CitrixPrivatekey.key
    Make sure you have five dashes after the end rsa private key —– no more and no less. Saving the private key
  7. Below the private key will be your Server Certificate.
    Saving the ssl certificate
  8. You will literally have to copy (ctrl +c) from the —–begin certficate all the way to end certificate —– and paste (crtl + v) the contents of this server certificate into its own Notepad file. Save this notepad file something unique such as CitrixServerCert.pem
    Make sure you have five dashes after the end certifcate —– no more and no less.
    Note: Although it is not necessary to install the intermediate for your server cert the intermediate for your server certificate is located under your Server Certificate in this converted file. Just like you did in the above Step 3.8 with copying and pasting your server certificate into its own unique notepad file you will do the same with this intermediate naming it something like IntermediateCA.pem

Step 3: Installing a certificate key pair:

  1. Expand the SSL node.
  2. Select the Certificates node.
  3. On the Certificates page, click Add.
  4. In the Install Certificate dialogue box, enter the following details:
    • Specify a Certificate-Key Pair Name of your choice (e.g. SSLCert).
    • Under Certificate File Name.
      Click Browse (Appliance) navigate to your Server Certificate CitrixServerCert.pem you created saved locally on the Citrix appliance (e.g.
    • Under Private key File Name.
       Click Browse (Appliance) navigate to the private key file CitrixPrivatekey.key you created (e.g.
    • Under Password.
      Normally you will have to enter a password but the Citrix Import PKCS12 converter tool stripped the private key of its password. Leave this space blank. 
      Citrix Netscaler SSL Installation
  5. Click Install.
  6. Click Close.

Step 4: Install the Intermediate CA Certificate:

  1. On the NetScaler > Traffic Management > SSL page, under Tools, click Manage Certificates / Keys / CSRs.
    Citrix Netscaler SSL Installation
  2. In the Manage Certificates / Keys / CSRs window, click Upload to locate, select, and upload the intermediateCACertificate.pem file.
  3. In the Install Certificate dialogue box, enter the following details:
    • Under Certificate-Key Pair Name.
      Specify a name of your choice (e.g.
      IntermediateCACertificate, as described in Step 1)
    • Under Certificate File Name
      Click Browse (Appliance) to the Intermediate CA certificate saved locally on the Citrix appliance and select the Intermediate CA certificate file (e.g.
      /nsconfig/ssl/IntermediateCA.pem).Citrix Netscaler SSL Installation
  4. Click Install.
  5. On the SSL Certificates page, select the certificate key pair name (as shown in Step 3: Creating a Certificate Key Pair) to which you want to link the intermediate ca certificate to your SSL Server Certificate. Click on your SSL Cert. 
  6. Click Link.
  7. From the CA Certificate Name list, select the required intermediate ca certificate IntermediateCACertificate.
    Note: You should be able to form a link between the SSL Cert to your intermediate. If you are unable to do so due to an error then double check the formatting of the certificate in notepad make sure it has the required 5 dashes and headers, double check to see if you have the proper intermediate. a wrong intermediate will not link to your server certificate. The intermediate is to only help aid the SSL cert to old dated browsers. 
    Citrix Netscaler SSL Installation
  8. Click OK.
  9. To verify if the SSL certificate & Intermediate CA certificate is link successfully, you can check by selecting Cert Links… at the bottom of the Netscaler console.
  10. Click OK to link the certificates. You should see a dialog box confirming that the certificates were linked successfully.
    Citrix Netscaler SSL Installation
  11. Click OK.
  12. Click Close.
    Citrix Netscaler SSL Installation

Step 5: Binding the Server Certificate to its Virtual Server:

A lot of times Citrix Netscaler will automatically bind the server certificate to the system automatically if certain conditions are met, such as the old certificate has expired. But sometimes you may have to bind it yourself. You might just want to check your system for a good connection before continuing.

If the certificate needs manual binding perform the following.

  1. From the NetScaler console, select NetScaler > Access Gateway > Virtual Servers.
  2. From the Certificates tab, select the server certificate from the list of Available certificates. Click Add to add the certificate to the Configured list.Citrix Netscaler SSL Installation
  3. Click OK and save the configuration.Your SSL certificate is now installed and configured for its website.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports Citrix Netscaler.

Citrix Support
For more information, see Citrix Support website.

LoadingAdd to favorites

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.