SSL Listener certificate might fail to import when uploading, with error "Could not import the certificate".
 

Environment

Citrix Endpoint Management version 21.1.1.3

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem
        openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes


 
2. Extract the certificate to certificate.pem
        openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem


 
3. Open certificate.pem in a text editor
        Copy 1st Certificate from "----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" to file called ssl_cert.pem
        



Copy next 2 or more certificates from "----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" to file called ssl_intermediateandroot.pem






4. Verify ssl cert.
        openssl x509 -text -noout -in ssl_cert.pem


All certificate details are not shown above

5. Verify certificate chain.
        openssl x509 -text -noout -in ssl_intermediateandroot.pem



All certificate details are not shown above

6. Export combined pfx file
        openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem



Note: This step will ask for a password.

7. Upload output to the CEM server.
 

---

Problem Cause

The certificate keystore is improperly packaged.

After being migrated to a cloud environment, importing the SSL Listener certificate might fail. The certificate keystore must be repackaged.