This article describes the procedure to create and use the Citrix NetScaler client certificates.
The NetScaler software consists of an SSL tools suite that enables you to generate private keys, certificate requests, and certificates. In addition, this suite can be used to create Certificate Authorities or use the pre-installed NetScaler Root Authority and create server certificates and client certificates. By default, the certificate and key files are stored in the /nsconfig/ssl directory.
The FreeBSD environment of the appliance also consists of a version of OpenSSL for advanced certificate and key administration.
The use of private certificates can cause third-party software/operating systems with built-in certificate stores to fail and operate as expected with known trusted root certificate authorities.
The Internet Explorer Web interface must do a callback over SSL to the Access Gateway Enterprise Edition VPN virtual servers in Smart Access Mode and if the NetScaler root CA is not installed in the system accounts trusted root CA store, the callback fails.
Warning!The use of private certificates can cause third-party software/operating systems with built-in certificate stores to fail and operate as expected with known trusted root certificate authorities.
The Internet Explorer Web Interface must do a callback over SSL to the Access Gateway Enterprise Edition VPN virtual servers in Smart Access Mode and if the NetScaler root CA is not installed in the system accounts trusted root CA store, the callback fails.
To create and use the Citrix NetScaler client certificates, complete the following procedures:
Expand the SSL node and select Certificates.
Click Add. The Install Certificate dialog box is displayed.
From File Location, select the Remote System option.
For the Certificate Filename field, click Browse and select the appropriate certificate file name. For example, ns-root-cert.
For the Key Filename field, click Browse and select the appropriate key file name. For example, ns-root-key.
Accept the default options for the other fields, as shown in the following screen shot and click Install.
Expand the Load Balancing, SSL Offload, or SSL VPN node to display the virtual server to which you want to bind the certificate-key pair.
Click Virtual Servers.
Open the virtual server to which you want to bind the certificate-key pair.
Activate the Certificates tab, as displayed in the following screen shot:
From the available list, select the certificate-key pair you have installed. For example, NS-ROOT-CA.
Click Add as CA.
In the Other Settings group, click SSL Parameters. The Configure SSL Params dialog box appears.
In the Others group of the Configure SSL Params dialog box, select Client Authentication.
From the Client Certificate list, select Mandatory, as shown in the following screen shot:
Click OK.
Expand the SSL node.
Click CA Tools.
Click the Create RSA Key link. The Create RSA Key dialog box is displayed, as shown in the following screen shot. Specify the appropriate values for the various fields.
Note: The screen shot displays the sample values for your reference.
Click Create.
Click the Create Certificate Request link. The Create Certificate Request dialog box is displayed. Specify appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure to select the PEM key format. This enables you to export the certificate request to a PKCS12 file.
Click Create > Close.
Click the Create Certificate link. The Create Certificate dialog box is displayed. Specify the appropriate values for the various fields. The screen shot displays the sample values for your reference. Ensure that you select the appropriate files you have created in the preceding steps.
Click Create > Close.
From the Tools section, click the Export PKCS#12 link. The Export PKCS12 dialog box appears.
In the Pkcs File Name field, type the name for the file you want to create in the /nsconfig/ssl directory.
In the Certificate File Name and Key File Name fields, click Browse to locate and select the certificate RSA key files, respectively.
Click OK > Close.
Verify that the file you have created is available on the local computer.
From the Start menu of Microsoft Windows on the local computer, start the Microsoft Management Control.
From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
Click Add and select the Certificates snap-in.
The Certificate snap-in wizard verifies the user managing certificates. Ensure that you select current user.
When the snap-in starts, right-click Personal.
From the All Actions menu, select Import.
In the Certificate Import Wizard, click Next.
Click Browse to locate and select the appropriate .pfx file and click Next.
In the Password section, type the password you had used to create the pfx file and click Next.
In the Certificate Store section, ensure that Personal is selected in Certificate store: field.
Verify if the client certificate is added to MMC Certificates Snap-In under the Personal store.
When the user accesses the VIP of the SSL virtual server by using the Internet Explorer browser, the Choose a digital certificate dialog box is displayed. The dialog box lists the certificate you have created.