Step-by-Step Guide: SSL Certificate Renewal in Citrix ADC (NetScaler)

Ahmad AfifAhmad Afif
3 min read

Overview

SSL certificates are crucial for securing communications between clients and servers by encrypting data and ensuring authenticity. SSL certificates have expiration dates, typically every 1 to 2 years, to maintain security standards and compliance.

Failing to renew an SSL certificate can lead to service disruptions, security warnings, and potential loss of trust from users.

Generate a New CSR (If Required)

  1. Log in to Citrix ADC GUI.

  2. Navigate to Traffic Management > SSL > SSL Files.

  3. Click on Create RSA Key:

    • Key Filename: mydomain.key

    • Key Size: 2048 (recommended)

    • PEM Encoding: Enable

  4. Click Create.

  5. Generate a CSR:

    • Go to SSL > SSL Files > Create CSR.

    • Select the RSA key file you just created.

    • Fill in the required details (Common Name, Organization, Country, etc.).

    • Click Create.

    • Download the CSR file and submit it to the CA.

Locate the Expiring Certificate

  1. Login to Citrix ADC GUI.

  2. Go to:

    • Traffic Management > SSL > Server Certificates

  3. Locate the expiring certificate.

  4. Hover over the certificate, click the "3 dots" menu, and select "Show Bindings".

  5. Record Certificate Bindings: Take a screenshot or note down all bound services

  6. Can check validity of public certificates by renaming the certificate to .cer. Example: 25-26-PublicCert.pem to .cer

    Upload Certificate to NetScaler

    1. Navigate to:

      • Traffic Management > SSL > Certificates > All Certificates

    2. Click Install.

    3. Enter the details

      • Certificate-Key Pair Name: [any suitable name]

      • Certificate File Name: [certificate either in crt, PEM etc]

      • Key File Name: [private key file used to generate the certificate.]

      • Certificate format: PEM

        Citrix ADC primarily uses PEM format, which contains:

        • Certificate (.crt or .pem)

        • Private Key (.key)

        • Intermediate CA Certificates (if applicable)

Bind the Certificate to Virtual Servers

  1. Go to:

    • Traffic Management > Citrix Gateway > Virtual Servers

  2. Identify the virtual server using the expiring certificate.

  3. Hover over it, click “3 dots”, select "Edit".

  4. Click "1 Server Certificate" to open Certificate Bindings.

  5. Unbind the old certificate:

    • Hover over the old certificate, click "3 dots" → Select Unbind.

  6. Bind the new certificate: Click Add Binding

  7. Select the newly installed certificate.

  8. Click OK > Save Changes

Update SSL Gateway Virtual Servers

  1. Navigate to:

    • Configuration > Citrix Gateway > Citrix Gateway Virtual Servers

  2. Locate SSL Gateway using the old certificate.

  3. Click Edit → Select Certificate Details.

  4. Bind the new one

Validate and Verify Certificate Renewal

Run the following command: show ssl certKey [Certificate key-pair name] Ensure the expiry date is correct.

Test SSL Connectivity

  1. Open a web browser.

  2. Navigate to the website, click the lock icon, and view certificate details.

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Sync to Secondary ADC [force sync]

show ha node

sync ha files

force ha sync

show ha node

0
Subscribe to my newsletter

Read articles from Ahmad Afif directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Citrix NetScaler ADCnetscalerCitrix

Written by

Ahmad Afif
Ahmad Afif