When configuring an SSL Profile the backend server’s ssl certificate/key pair must be uploaded. The following error message is displayed when trying to upload the private key file regardless of the extension (i.e *.key or *.txt)
Please correct any problems and resubmit your request
Execution error

-If we open the certificate with a text editor we can see that it is in PEM format:
-If we open the private key it is definitely not PEM format



The private key was generated on a NetScaler with a FIPS module. Regrettably we can’t convert a FIPS key as an external key (PEM format) IF the private FIPS-key was created on the NetScaler itself.
If the FIPS key was created/imported from an external device then we can install the “original PEM key” and certificate on the CloudBridge.
 
The workaround is to create an RSA key on the Netscaler outside of the FIPS card (in the /nsconfig/ssl directory; like a non-FIPS unit) or on an external device. Then import it inside the FIPS card as a FIPS key, using the "import fipskey" command and build a new request/certificate off that. The external key which will be in clear-text (.PEM format) can then be provided and installed on the CloudBridge.

 

---

Problem Cause

1. We confirmed with Cavium that the NetScaler FIPS card always exports the private key in encrypted format.
 
2. CloudBridge appliances don't support a FIPS module/card.

When configuring an SSL Profile the backend server’s ssl certificate/key pair must be uploaded. The following error message is displayed when trying to upload the private key file regardless of the extension (i.e *.key or *.txt) Please correct any problems and resubmit your request Execution error

• Citrix eDocs - FIPS 

• Citrix eDocs - Creating and Transferring FIPS Keys

• CTX126301 - How to Accelerate ICA Proxy Mode in NetScaler Gateway with CloudBridge