How to Convert PFX Certificate to PEM Format for Use with Citrix Access Gateway

  • CTX106028
  • Created onNov 24, 2014
  • Updated onNov 24, 2014
Article Topic Configuration


For secure, trusted access you must install an SSL server certificate on the Access Gateway server. The uploaded certificate file must have the following characteristics:

  • The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. For best results, use a commercial CA such as VeriSign, Thawte or GeoTrust.
  • The certificate must be in Privacy Enhanced Mail (PEM) format, a text-based format that is a Base64 encoding of the binary Distinguished Encoding Rules (DER) format.
  • The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file.
  • Any necessary intermediate certificates must also be appended to the end of the PEM file.


    If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file. To import this certificate onto the Access Gateway, you must convert the PFX file to the unencrypted PEM format.

    You can use the open-source utility OpenSSL to perform the conversion from PFX to PEM. Download a Win32 distribution of OpenSSL from Win32 OpenSSL.

    You might also need C++ re-distributable files if you want to use OpenSSL. Download from Microsoft Visual C++ 2008 Redistributable Package (x86).

    To convert a PFX file to a PEM file, complete the following steps on a Windows machine:

    1. Download and install the Win32 OpenSSL (Win32 OpenSSL v0.9.8i) package from Win32 OpenSSL.

    2. Create a folder c:\certs and copy the file yourcert.pfx into the c:\certs folder.

    3. Open a command prompt and change into the OpenSSL\bin directory: 
      cd %homedrive%\OpenSSL\bin

    4. Run the following command to convert the PFX file to an unencrypted PEM file (all on one line):
      openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes

      User-added image

    5. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK.

      User-added image
    6. Point a browser to the Access Gateway administration portal or HTTPS port 9001: https://access-gateway-server:9001.

    7. Log on as root. The default password is rootadmin.

    8. Click the Maintenance link at the top of the page.

    9. Click the Browse button next to the Upload Private Key+Certificate (.pem) field. Browse to the c:\certs\cag.pem file and click Upload.

    10. Restart the Access Gateway for the new SSL certificate to be applied.

    Applicable Products

    Automatic translation

    Important: Non-English versions of this article are translated by an automatic translation system (also referred to as Machine Translation, or MT) and have not been translated or reviewed by a person. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain vocabulary, syntax or grammar errors. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of machine translated articles. Thank you.

    Traduction automatique

    Important : cet article a été traduit par un système de traduction automatique (également appelé Traduction automatique ou TA) et n'a pas été vérifié par des spécialistes. Citrix propose une traduction automatique de cet article afin de permettre à toute personne ne maîtrisant pas l'anglais d'accéder au contenu de l'assistance. Toutefois, la traduction automatique n'étant pas parfaite, elle peut contenir des erreurs de terminologie, de syntaxe ou de grammaire. Citrix n'est pas responsable des incohérences, erreurs ou dommages pouvant résulter de l'utilisation par nos clients d'articles TA.

    Automatische vertaling

    Belangrijk: Dit artikel is vertaald door een automatisch vertalingssysteem (ook Machine Translation of MT genoemd) en is niet vertaald of beoordeeld door mensen. Citrix biedt een machine-vertaalde versie van dit artikel aan om een betere toegang mogelijk te maken tot de support-inhoud. Automatisch vertalen werkt echter niet altijd perfect en het resultaat kan fouten bevatten in de woordkeuze, syntaxis of grammatica. Citrix is niet verantwoordelijk voor inconsistenties, fouten of schade als gevolg van het gebruik van MT-artikelen door onze klanten.

    Maschinelle Übersetzung

    Wichtig: Dieser Artikel wurde mit einem maschinellen Übersetzungssystem und ohne jegliche Bearbeitung durch Personen übersetzt. Citrix bietet maschinelle Übersetzungen von Artikeln an, damit Benutzer umfassenden Zugriff auf Support-Inhalte haben. Maschinelle Übersetzungen enthalten jedoch möglicherweise Fehler in Bezug auf Terminologie, Syntax und Grammatik. Citrix übernimmt keine Verantwortung für Inkonsistenzen, Fehler oder Schäden, die aus der Verwendung von maschinell übersetzten Artikeln durch Kunden resultieren.


    重要提示:本文是由自动翻译系统翻译完成的(也称为“机器翻译”或 MT),未经人工翻译或审查。Citrix 提供本文的机器翻译版本是为了方便更多人访问支持内容。然而,自动翻译的文章并不总是完美的,可能存在词汇、语法或文法方面的错误。对于因客户使用机器翻译文章导致出现的不一致、错误或损害,Citrix 不承担任何责任。



    Tradução automática

    Importante: este artigo foi traduzido por um sistema de tradução automática (também conhecido por Machine Translation ou MT) e não foi traduzido nem revisado por pessoas. A Citrix oferece uma versão traduzida por máquina deste artigo para permitir maior acesso ao conteúdo de suporte. No entanto, a tradução automática não é sempre perfeita, podendo conter erros de vocabulário, sintaxe ou gramática. A Citrix não se responsabiliza por inconsistências, erros ou danos incorridos como resultado do uso de artigos de MT de nossos clientes.

    Traducción automática

    Importante: Este artículo ha sido traducido por un sistema de Traducción automática (también llamada MT o Machine Translation) sin intervención de un traductor humano. Citrix ofrece la traducción automática de este artículo para ampliar el acceso a la información de asistencia técnica. No obstante, la traducción automática no es perfecta y puede contener errores de vocabulario, sintaxis y gramática. Citrix no se hace responsable de cualquier imprecisión, error o daño ocasionados por el uso que hagan nuestros clientes de los artículos traducidos automáticamente.
    Was this helpful?
    Thank you for your feedback

    Share your comments or find out more about this topic

    Citrix Forums