We help IT Professionals succeed at work.

Certificate installation-Citrix Netscaler  -  .PEM vs .CER vs .CRT vs PFX vs...


need to install 3rd party certificate on the Citrix Netscaler.
I know procedure to create CSR but I’m not sure about the part when it comes to submit CSR to CA.What type of certificate should I get out after submit to CA? .PEM cert?Does publi CAs provide .PEM certs?
Watch Question

Senior Citrix Engineer
A lot depends on your CA.  Some CAs have the option to return them as PEM (base64) or DER (binary).  Most of the public CAs will typically give you the certs in PEM format, which is of course what you need for your Netscaler.

And ultimately, it doesn't really matter what kind of certificate the CA gives you.  You can always download a copy of OpenSSL and convert the certificates.  Once you have them in PEM format, you can either put both the cert and the private key in the same file and point the Cert & Key paths in the Netscaler to the same file, or you can keep them separate.  I've generally seen them kept separate when you create your keypairs.  (literally just google search for "openssl convert certificate to pem" and you'll find tons of articles and examples.

Distinguished Expert 2019
The siffix is of little consequence .cer .crt .cert means the same thing, it is presumable a human read ke format that gas

----begin certificate ------

---- end certificate ------
Or done thing similar

A PFX on the other hand is a pkcs#12 format that is a binary file that includes both the private key and the certificate, commonly exported from a Windows system.

On the netscaler, does it provide an option to generate a CSR, if it does, all you need after you submit the netscaler generated CSR is the signed certificate because the netscaler already has the private key it used to generate the CSR.

The CA commonly issues the cert in the plain text format, keep mixing them whether it is PEM or DER format.

As Coralon ended, using OpenSSL you can convert between, among formats.

The only consideration is the type of a certificate netscaler needs. Often, the CSR gas to include the types, functions, it needs. If it needs to support multiple names, using SAN in the CSR creation stage is needed. Once signed, it can not be altered.
Sam JacobsCitrix Technology Professional / Director of TechDev Services, IPM
I prefer to create my CSRs on a Windows machine, get the certificate from the CA, and then export the private/public key pair as a .PFX file, which I them import (together with any needed intermediate certificates of course) into the NetScaler.
The above is especially true for wildcard certificates, as it makes it easy for me to copy the certificate wherever it's needed.