NetScaler 9_3
This article describes how to convert a PFX certificate to PEM format for use with NetScaler.


This article describes how to convert PFX certificate to PEM format for use with NetScaler.


SSL certificates are used for SSL load balancing virtual servers and NetScaler Gateway virtual servers. The PEM certificates are?? Base64 encoded ASCII files. PEM certificates can be opened in Text Editor/Notepad and you will find that they contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

For secure, trusted access you must install an SSL server certificate on the NetScaler Gateway server. The uploaded certificate file must have the following characteristics:

  • The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. For best results, use a commercial CA such as VeriSign, Thawte or GeoTrust.

  • The certificate must be in Privacy Enhanced Mail (PEM) format, a text-based format that is a Base64 encoding of the binary Distinguished Encoding Rules (DER) format.

  • The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file.

  • Any necessary intermediate certificates must also be appended to the end of the PEM file.


NetScaler Wizard

Complete the following procedure to convert a PFX certificate to PEM format using NetScaler Wizard:

  1. Navigate to Traffic Management, Select the SSL node.

  2. Click?? the Import PKCS#12 link.

    User-added image

  3. Specify a file name you want for the PEM certificate in the Output File Name field.

  4. Click Browse and select the PFX certificate that you want to convert to PEM format. Some users prefer to upload the certificate to /ncsonfig/SSL directory and use it from there. If PFX certificate is stored on NetScaler then choose option Appliance and if it stored on your workstation then use Local.

    User-added image

  5. Specify the Import Password.

  6. Click OK.

    User-added image

  7. If the file is encoded, then select DES or 3DES as the Encoding Format:

    User-added image

  8. Specify the PEM Passphrase and the Verify PEM Passphrase.

  9. Click?? the Manage Certificates / Keys / CSRs link to view the converted PEM certificate files.

    User-added image

  10. You can view the uploaded PFX file with the converted PEM file.

    User-added image

  11. Expand the SSL node.

  12. Select the Certificates node.

  13. Click Install.

  14. Specify a Certificate-Key Pair Name in the Install Certificate wizard.

  15. Browse to the PEM file for both the Certificate File Name and Private Key File Name.

  16. Specify the Password.

  17. Click Install.

    User-added image

  18. Bind the certificate key pair to an SSL load balancing virtual server or NetScaler Gateway virtual server.

OpenSSL Utility

If you have requested and installed a certificate onto a Windows server using the?? Internet Information Service (IIS)?? certificate wizard, you can export that certificate with its private key to a?? Personal Information Exchange (PFX)?? file. To import this certificate onto the NetScaler Gateway, you must convert the PFX file to unencrypted PEM format.

You can use the open source utility?? OpenSSL?? to perform the conversion from PFX to PEM. Download a Win32 distribution of OpenSSL from?? Win32 OpenSSL.

You might also need C++ redistributable files if you want to use OpenSSL. Download this from?? Microsoft Visual C++ 2008 Redistributable Package (x86).

To convert a PFX file to a PEM file, complete the following?? steps on a Windows machine:

  1. Download and install the Win32 OpenSSL package from?? Win32 OpenSSL.

  2. Create a folder?? c:\certs?? and copy the file yourcert.pfx into the c:\certs folder.

  3. Open command prompt and change into the OpenSSL\bin directory:??
    cd %homedrive%\OpenSSL\bin

  4. Run the following command to convert the PFX file to an unencrypted PEM file (all in one line):
    openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes

    User-added image

  5. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says?? MAC verified OK.

    User-added image

  6. Point a browser to the NetScaler Gateway administration portal or HTTPS port 9001:?? https://netscaler-gateway-server:9001.

  7. Log on as?? root. The default password is?? rootadmin.

  8. Click the?? Maintenance?? link at the top of the page.

  9. Click the?? Browse?? button next to the?? Upload Private Key+Certificate (.pem)?? field. Browse to the?? c:\certs\cag.pem?? file and click Upload.

  10. Restart NetScaler Gateway for the new SSL certificate to be applied.

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support