Citrix NetScaler – ‘Certificate is not a server certificate’

Advertisement

KB ID 0001191 Dtd21/05/16

Problem

While attempting to bind a certificate to a Virtual Server on my NetScaler this happened;

Netscaler Not a valid server certificate

Error
Certificate is not a server certificate

 

Solution

Before you proceed, delete the problem certificate to avoid confusion!

I had generated this certificate with Microsoft Certificate Services, and I had made a wildcard certificate like so;

Certificate Services – Create a ‘Wildcard Certificate’

Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.

Exportable Private Key

Open the certificate on a Windows machine  > Install Certificate.

Certificate import to Netscaler

Select ‘Local Machine’  > Next.

Import certificate to local computer

Manually put the certificate in the ‘Personal’ container > OK > Next.

Local Computer Personal Folder

Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.

Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.

Export Wildcart Cert to PFX

Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).

Export Private Key

Export as PKCS 12 (PFX) > Next.

Wildcard to PFX

Set a password, (you will need this in a minute, so don’t forget it) > Next.

PFX Password

Save the exported cert with a pfx extension > Next.

PFX Certificate Location

OK

Export sucessful

Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.

Export Certificate

So now you should have two exported certificates like this;

Exported Certificates

Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.

Netscaler import PKCS

Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.

Netscaler import PKCS

Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.

Import Certificate Netscaler

 

Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.

Import Certificate Netscaler

You can now assign this certificate without error.

 

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *