Jump to content
|
Discussions
x
Upvote if you also have this question or find it interesting.
Learn more
  • 0

Netscaler Ver 12.1 - Cannot Import SSL PFX Error No certificates present in the certificate bundle file (RapidSSL, DigiCert & Entrust)

Asked by TXTOM

TXTOM | 65
TXTOM
TXTOM | Enthusiast | 65 | Members | 256 posts
Posted

Ran in to a problem with two different customers on the same day trying to deploy a new Netscaler VPX with firmware version 12.1 and not being able to import SSL certs while using the XenApp and XenDesktop Setup wizard.

 

Error:

Cannot Import SSL PFX Error No certificates present in the certificate bundle file.

 

SSL Certificate Authorities tested:

RapidSSL, DigiCert & Entrust

 

These are the same SSL certs that we were previously able to use with Netscaler VPX version 11.1 and Netscaler VPX version 12.0.  In fact, they are the EXACT files that had been used previously.

If we cheat and use Import PKCS#12 under Configuration, Traffic Management, SSL the SSL cert will import, but when we get around to the XenApp and XenDesktop Setup wizard it say "Certificate is not a server certificate"

 

These are all Full SHA 256 SSL certs.  PFX files are exported using Windows 2012 R2 server and Windows 2008 R2 server without "Include all certifcates in the certification path if possible" checked or anything else checked under "Person Information Exchange - PKCS #12 (.PFX)

 

Something changed in version 12.1.  We're doing it the same way we have done it for years.

 

We've even tried to copy the .PFX file up to the server using WinSCP and then going in to the Netscaler via SSH and shell:

openssl pkcs12 -in ssl.pfx -out ssl.pem -nodes

 

Anyone have any pointers?

 

 

 

 

NoCertsPresent.jpg

CertNotServerCert.jpg

Share this post

Link to post

9 answers to this question

9 Replies

Recommended Posts

x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
TXTOM | 65
TXTOM
TXTOM | Enthusiast | 65 | Members | 256 posts
Posted

Appreciate being pointed in the right direction.  Got it working :-)

 

I was a bit lazy and used WinSCP to upload the .PFX files to /nsconfig/ssl

 

Command Line Interface (CLI) to make it easier for others that were used to using the GUI:

Example 1:

add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1

 

Example 2:

add ssl certKey SSLCORP -cert sslcorp.pfx -key sslcorp.pfx -inform PFX -password test1

 

Example 3:

add ssl certKey SSLEDU -cert ssledu.pfx -key ssledu.pfx -inform PFX -password test1

 

The .PFX file password in this case is test1

 

Under Configuration, Traffic Management, SSL, Server Certificates I now have the following:

SSL              citrix.cre                   RAPIDSSL

SSLCORP   citrix.cre                   DigiCert

SSLEDU      citrix.cre                   Entrust

 

See attached screen shot...

 

Thanks

ServerCertificates.jpg

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Bit-101 | 160
Bit-101
Bit-101 | Aficionado | 160 | Members | 380 posts
Posted

Thank you, the only thing that is litlle unclear is the .cre etension
I use Import PKCS # 12 and in the output file name: mycompany.cer and then point to .pfx (mycompany.com.pfx with the key within)

-Is it right?

 

edit: 2018-08-29: 09:53--------------------------------------------------------------------------

The following syntax did not work maybe I´ve done something wrong in the syntax:

Example 1:
add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1
Example 2:
add ssl certKey SSLCORP -cert sslcorp.pfx -key sslcorp.pfx -inform PFX -password test1
Example 3:
add ssl certKey SSLEDU -cert ssledu.pfx -key ssledu.pfx -inform PFX -password test1

 

In my case I´m gonna install: mycompany.com.pfx
 

-What is the right syntax if I refer to above example?

Really appreciate your answer
:0)

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
TXTOM | 65
TXTOM
TXTOM | Enthusiast | 65 | Members | 256 posts
Posted

I guess the screen shot is a bit misleading.  Instead of seeing citrix.cre (partially blocked at end) it should read:

 

Under Configuration, Traffic Management, SSL, Server Certificates I now have the following:

SSL              citrix.mycorp.com                   RAPIDSSL

SSLCORP   citrix.mycorp.com                   DigiCert

SSLEDU      citrix.mycorp.edu                    Entrust

 

We used a Windows 2012R2 server to generate the SSL cert request, then completed it on the same server and exported the file as a password protected .PFX file excluding all the additional items such as intermediates.

 

This link with the quick setup was helpful:

http://citrixnerds.com/docs_citrixNetscalerQuickSetup.asp

Step #9 - Item #4 (add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1)

 

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Bit-101 | 160
Bit-101
Bit-101 | Aficionado | 160 | Members | 380 posts
Posted

I have imported certificate myCompany.com.pfx like in CarlStalhoods example:
https://www.carlstalhood.com/netscaler-certificates/#pfx
I have 3 Netscalers 2 in HA-pair in production and one for Test: Netscaler 3. (the Netscaler who complain about Certificate Mismatch)

 

Now I have downgraded Netscaler 3 to Netscaler 12.0.58.18.nc from Netscaler 12.1.48.13.nc and still the same problem - Certificate Mismatch

 

Im using the same cert as in Netscaler 1 and Netcaler 2 (HA-Pair) and there was no problem with certificate Mismatch.

 

But Netscaler 3 - still complaining about certicate Mismatch.
So I´m trying yor solution like this:
I can see myCompany.cer in Current Directory: /nsconfig/ssl/ (Manage cerificates)
Putty and CLI:
> add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1
ERROR: Input file(s) not present or not accessible in current partition

 

What am I doing wrong?

 

Really appreciate your answer

 

:0)

 

 


 

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
Bit-101 | 160
Bit-101
Bit-101 | Aficionado | 160 | Members | 380 posts
Posted

"..Did you upload the .pfx file to / nsconfig / ssl? "

-Yes 


Yesterday I downloaded 12.1.49 but it looks like there's still some problems - please see screenshots.
 

 

invalid_argument.png

show_version.JPG

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more
yale42549 | 0
yale42549
yale42549 | 0 | Members | 1 post
Posted

Hi,

 

I was able to solve the error "No certificates present in the certificate bundle" after converting the certificate files with these commands:

 

openssl rsa -outform der -in privkey.pem -out privkey.key

 

openssl x509 -outform der -in fullchain.pem -out cert.cer

 

Share this post

Link to post
x
Mark this reply as best answer, if it answered your question.
Learn more
x
Upvote if you found this answer helpful or interesting.
Learn more

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
TOP
×
×
  • Create New...