Export SSL Certificate from NetScaler (use on back-end server)

Export SSL Certificate from NetScaler (use on back-end server)

In instances where security is of utmost importance and you have purchased an SSL digital certificate, which if needed, supports both internal and external Domain and network connectivity (for example a Wildcard SSL certificate) you will want to configure your environment with network connectivity secured and encrypted using HTTPS/443 on both the client (front end) and server (back end) sides of the session through your NetScaler appliance.

This is shown in the first example and fictitious network diagram in the first imageĀ  below. Additional information describing the example environment are presented in details directly following the diagram.

Example Scenario and Use-Case Example:

Export SSL Certificate from NetScaler 01

Export SSL Certificate from NetScaler 01

  • SPECIAL NOTE: The above network diagram does NOT directly represent the actual configured environment depicted in the steps shown later on under this same article.
  • The Citrix NetScaler appliance acts as a secure reverse proxy appliance when placed between your clients (end-users) connecting to back-end load balanced resources (servers).
  • Connectivity occurs as follows:
    • The NetScaler appliance receives the front end connection being initiated and established by an end-user. End-user connecting to a virtual IP address of a virtual load balance server housed on the NetScaler appliance.
    • The connection reaches the load balance virtual IP (VIP), where it is then decrypted and read in clear text. The NetScaler reads the packet header to determine where the data is destined and how it should manipulate the network packets passing through.
    • Once the NetScaler understands where the traffic is destined (based on destination IP address and load balance algorithm), the NS will change the source IP address from the original client IP to it's own sub-net IP (SNIP) located (typically located on the same network as the back-end destination servers).
    • The NS appliance then re-sends the network traffic on the end-user's behalf to the appropriate back-end server from its own SNIP address placed back in encrypted formatting using HTTPS/443.
  • Network Diagram Scenario overview and notes:
    • Network connection fully secured and encrypted from end to end (front and back ends of the connection through NS appliance).
      • The only part where the traffic is in clear text is when safely being processed directly on the NS appliance, while in transit.
    • Make sure to have the mentality and understanding that there are basically two separate connections occurring when passing through a NS appliance.
      • (1) End-user to NS virtual IP assigned to LB virtual server.
      • (2) NS appliance virtual SNIP to appropriate load balanced back-end server.
    • When needing to un-encrypt and then re-encrypt network traffic when passing through the NS appliance, your SSL Certificate must be installed and located at both the NS and back-end servers.
      • (If/when the NS appliance doesn't need to read the network packet payload, you can configure SSL-Bridge connection so that your NS appliance simply passes the network traffic along and simply re-sourcing the network traffic to the back-end). In this case, an SSL certificate is only needed on your back-end servers.
      • Full SSL Offload is not supported in the type of connection (when needing traffic fully secured on both front and back ends).

Actual Environment Configuration Steps:

This example simply displays how to copy (NOT remove/move) the SSL Certificate from the NS appliance to both back-end servers.


  • Back-end servers residing at IP addresses and Connectivity from NS SNIP to Servers to occur over HTTPS/443.
    • In this example, requiring the following configuration and setup.
      • Both front and back end connectivity to be fully secured as well as un-encrypted and encrypted on the NS appliance.
      • NS appliance supporting both internal and external URL/FQDN connectivity based on details and specification of the used SSL digital certificate.


  • Configuration, Traffic Management, SSL


  • Exporting housed SSL certificate and private key to a single exported file under PKCS#12 format.
    • Tools, "Export PKCS#12"


  • Finding the needed SSL Certificate (in this case, and in most cases, a Wildcard SSL certificate).
  • Wildcard SSL certificate selected (by checking the available check box next to its listing).


  • You have the ability to view SSL certificate information containing current file format, server certificate current file name, and assigned/associated private key file.
    • (Both server certificate and private key file needed for extraction process to a new/separate PKCS formatted file).


  • PCKS File Name
    • Enter the new PKCS file name to be exported and saved as
  • Certificate File Name
    • The current name and location of the server certificate file (received from your CA).
  • Key Filename:
    • Associated RSA private key file and filename.
  • Export Password
    • Password assigned to your private key file
  • PEM Passphrase
    • ddd









































No Comments Yet.

Leave a comment