Error: “No Such FIPS Key” when Trying to Install Certificate and FIPS Key on ADC FIPS Appliance

This issue is most commonly seen when the FIPS Key originated from another device’s private key that was subsequently imported into the FIPS ADC appliance. Commonly, private keys from other devices are imported as password protected PFX files. PFX files are converted on the FIPS ADC into PEM files that contains both the certificate and the private key.

After the PEM file is imported as an FIPS Key, the administrator will attempt to install new certificate definition using the existing PEM file and the new FIPS Key imported from the PEM file. The administrator provides the PFX file password when attempting to install the certificate definition using either of the following:

  • NetScaler administration utility (GUI): Traffic Management > SSL > Certificates > Install

  • Terminal session (CLI): add ssl certkey

The administrator might incorrectly include the PFX file password when installing the new certificate definition. However the password is not required for an FIPS Key imported as the private key exported from the PFX file to the PEM file will not be encrypted.


  • No Related Posts

Error:”An SSL connection to the server couldn't be established” while trying to authenticate to StoreFront using Linux Receiver

1. Obtain the root certificate in PEM format.

Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.

2. As the user who installed the package (usually root):

  • Copy the file to $ICAROOT/keystore/cacerts.
  • Run the following command: $ICAROOT/util/ctx_rehash


  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Linux

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the server certificate.

Use a root certificate

If you need to authenticate a server certificate that was issued by a certificate authority and is not yet trusted by the user device, follow these instructions before adding a StoreFront store.

  1. Obtain the root certificate in PEM format.

    Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.
  2. As the user who installed the package (usually root):
    1. Copy the file to $ICAROOT/keystore/cacerts.
    2. Run the following command:

Use an intermediate certificate

If your StoreFront server is not able to provide the intermediate certificates that match the certificate it is using, or you need to install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store.

  1. Obtain the intermediate certificate(s) separately in PEM format.

    Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.
  2. As the user who installed the package (usually root):
    1. Copy the file(s) to $ICAROOT/keystore/intcerts.
    2. Run the following command as the user who installed the package:


  • No Related Posts

How to Decrypt SSL and TLS Traffic Using Wireshark

Private Key Format

Wireshark can decrypt SSL traffic provided that you have the private key. The private key has to be in a decrypted PKCS#8 PEM format (RSA). You can open and verify the key file. If it is in binary, then it is likely to be in a DER format, which cannot be used with Wireshark.

You can use OpenSSL to convert the key. For example, converting a PKCS#8 DER key to a decrypted PKCS#8 PEM format (RSA) key.

At the $ prompt enter the following command:

openssl pkcs8 -nocrypt -in der.key -informat DER -out pem.key -outformat PEM


der.key is the file name and path to the DER key file.

pem.key is the file name and path to the PEM key file output.

The decrypted PKCS#8 PEM format (RSA) key must be similar to the following screen shot:

User-added image

Notice that the key begins with:


If it begins with:


Then the key is encrypted and needs to be decrypted with the right passphrase. You can again use OpenSSL to do this.

  1. At the $prompt, issue the following command:

    openssl rsa

    If you issue this command without arguments, you are prompted as follows:

    read RSA key

  2. Type the name of the key file to be decrypted.

    You can type the openssl rsa command with arguments if you know the name of the private key and the decrypted PEM file.

    For example, if the private key filename is myprivkey.pvk and the decrypted filename is keyout.pem, the command is:

    openssl rsa –in myprivkeypvk -out keyout.pem

Helpful Links

User-added image


  • No Related Posts

How to Convert PFX Certificate to PEM Format for Use with NetScaler

Complete one of the following procedure to convert PFX certificate to PEM format for use with NetScaler:

NetScaler Wizard

Complete the following procedure to convert a PFX certificate to PEM format using NetScaler Wizard:

  1. Navigate to Traffic Management, Select the SSL node.

  2. Click the Import PKCS#12 link.

    User-added image

  3. Specify a file name you want for the PEM certificate in the Output File Name field.

  4. Click Browse and select the PFX certificate that you want to convert to PEM format. Some users prefer to upload the certificate to /ncsonfig/SSL directory and use it from there. If PFX certificate is stored on NetScaler then choose option Appliance and if it stored on your workstation then use Local.

    User-added image

  5. Specify the Import Password.

  6. Click OK.

    User-added image

  7. If the file is encoded, then select DES or 3DES as the Encoding Format:

    User-added image

  8. Specify the PEM Passphrase and the Verify PEM Passphrase.

  9. Click the Manage Certificates / Keys / CSRs link to view the converted PEM certificate files.

    User-added image

  10. You can view the uploaded PFX file with the converted PEM file.

    User-added image

  11. Expand the SSL node.

  12. Select the Certificates node.

  13. Click Install.

  14. Specify a Certificate-Key Pair Name in the Install Certificate wizard.

  15. Browse to the PEM file for both the Certificate File Name and Private Key File Name.

  16. Specify the Password.

  17. Click Install.

    User-added image

  18. Bind the certificate key pair to an SSL load balancing virtual server or NetScaler Gateway virtual server.

OpenSSL Utility

If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file. To import this certificate onto the NetScaler Gateway, you must convert the PFX file to unencrypted PEM format.

You can use the open source utility OpenSSL to perform the conversion from PFX to PEM. Download a Win32 distribution of OpenSSL from Win32 OpenSSL.

You might also need C++ redistributable files if you want to use OpenSSL. Download this from Microsoft Visual C++ 2008 Redistributable Package (x86).

To convert a PFX file to a PEM file, complete the following steps on a Windows machine:

  1. Download and install the Win32 OpenSSL package from Win32 OpenSSL.

  2. Create a folder c:certs and copy the file yourcert.pfx into the c:certs folder.

  3. Open command prompt and change into the OpenSSLbin directory:

    cd %homedrive%OpenSSLbin

  4. Run the following command to convert the PFX file to an unencrypted PEM file (all in one line):

    openssl pkcs12 -in c:certsyourcert.pfx -out c:certscag.pem –nodes

    User-added image

  5. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK.

    User-added image

  6. Point a browser to the NetScaler Gateway administration portal or HTTPS port 9001: https://netscaler-gateway-server:9001.

  7. Log on as root. The default password is rootadmin.

  8. Click the Maintenance link at the top of the page.

  9. Click the Browse button next to the Upload Private Key+Certificate (.pem) field. Browse to the c:certscag.pem file and click Upload.

  10. Restart NetScaler Gateway for the new SSL certificate to be applied.


  • No Related Posts

How to Update an SSL Certificate on NetScaler

Update an SSL Certificate on NetScaler using Graphic User Interface

Overview diagram of how to update an SSL certificate on NetScaler

User-added image

To update an existing certificate from the GUI of the appliance, complete the following procedure:

  1. From the NetScaler navigation panel expand Traffic Management expand Certificates, and click the Server Certificates node.

    Note: In older NetScaler versions, if you don’t see the Server Certificates node, then click the Certificates node instead.

    User-added image

  2. On the right, in the SSL Certificates page, select the certificate you want to update, and click Update.

    User-added image

  3. In newer versions of NetScaler, check the box next to Update the certificate and key.

    User-added image

  4. In the Certificate File Name field, click Choose File > Local, and browse to the updated .pfx file or certificate PEM file. The .pfx files are only supported in newer versions of NetScaler.

    User-added image

    • If you are uploading a .pfx file, NetScaler will prompt you to specify the .pfx file password.

    • If you uploaded a certificate .pem file, you will also have to upload a certificate .key file. If the .key is encrypted, then you’ll need to specify the encryption password.

  5. If the common name of the new certificate does not match the old certificate, then check the box next to No Domain Check.

  6. Click OK. This will automatically update every SSL Virtual Server on which this certificate is bound.

    User-added image

  7. After replacing the certificate, you might have to update the certificate link to a new Intermediate certificate.

    1. Right-click the updated certificate, and click Cert Links, to see if it is currently linked to an intermediate certificate.

    2. If not linked to anything, then right-click the updated certificate, and click Link, to link it to an intermediate certificate. If it doesn’t give you an option to link it to, then you’ll first have to install the new intermediate certificate on the NetScaler under the CA Certificates node.

      User-added image

After you receive a renewed certificate from the certificate authority, you can update existing certificates from NetScaler MAS without needing to log on to individual NetScaler instances. For detailed instructions refer to Citrix Documentation – How to Update an Installed Certificate from NetScaler MAS.

Update an SSL Certificate on NetScaler using Command Line Interface

Certificates can be updated from the CLI by running update ssl certKey MyCert. However, the certificate files must be stored somewhere on the appliance, and already be in PEM format.

User-added image

Use the following command to update the certificate from the command line interface:

update ssl certkey <Cert_Key_Name> [-cert <String>]

[(-key <String> [-password]) | -fipsKey <String>]

[-inform (DER|PEM)][-noDomainCheck]

For detailed information about this command refer to Citrix Documentation.

Note: If the private key is password protected, you must specify the password. If you do not do so, you are prompted to specify the password.


  • No Related Posts

After importing a certificate PEM file with more than one CERTIFICATE section, you cannot access the management console

You can manually update the PEM file instead of using the Management Console. This is an available option if you have not already uploaded the certificate or have rolled back to a snapshot. It is required to recover if you have already uploaded the certificate and have no backup.

Login to the ELM as root. Login through an SSH client like SecureCRT or PuTTY so that you can copy/paste in the correct PEM file. Otherwise, you might need to use SCP to upload your PEM file and cp or mv to put it in place.

The Apache httpd certificate file is always stored in /etc/ssl/pem/unidesk.pem. When we upload a certificate, we simply overwrite this file. If you want to manually upload a certificate, you can overwrite this file too.

service httpd stop

cd /etc/ssl/pem

cp unidesk.pem unidesk.pem.old

cat > unidesk.pem

{copy and paste your PEM text}



If you cannot copy, paste the text of your PEM file, you can use WinSCP or some other SCP client to get your PEM file uploaded. Then your middle command becomes something more like this:

mv unidesk.pem unidesk.pem.old

mv your-new.pem unidesk.pem

After the reboot, httpd will restart. First, just try logging in through the management console. Otherwise, check ssl_error_log or the output of “service httpd status” to see what happened when it started. However, manually replacing unidesk.pem is perfectly supported. It’s supposed to be exactly what the web console does.


Can’t install Certificate, “Unable to parse the certificate file.”

This may be caused by a certificate which contains additional data that the App Layering Management Console can’t handle. Normally a certificate contains one PRIVATE KEY section, and one or more CERTIFICATE sections. Those are what App Layering requires. However, your PEM file might include additional metadata called “Bag Attributes” above and between each of these sections. Try deleting that extra data entirely (leaving just the PRIVATE KEY and CERTIFICATE sections) and importing that.

For instance, a file with the extra data looks like this:

Bag Attributes

Microsoft Local Key set: <No Values>

localKeyID: 01 00 00 00

friendlyName: {0F883524-D4C9-47BD-BD4D-B0059745BEC9}

Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0

Key Attributes

X509v3 Key Usage: 10


<Sensitive Data Deleted>


Bag Attributes

localKeyID: 01 00 00 00

subject=/OU=Domain Control Validated/CN=*.ad.domain.dom

issuer=/C=US/ST=Arizona/L=Scottsdale/, Inc./OU= Daddy Secure Certificate Authority – G2


<More Sensitive Data Deleted>


You would edit your PEM file to remove the Bag Attributes sections leaving just these two:


<Sensitive Data Deleted>



<More Sensitive Data Deleted>



  • No Related Posts

7013103: How to create a .pem File for SSL Certificate Installations

Privacy Enhanced Mail (PEM) files are concatenated certificate containers frequently used in certificate installations when multiple certificates that form a complete chain are being imported as a single file. They are a defined standard in RFCs 1421 through 1424. They can be thought of as a layered container of chained certificates. A .pem file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates):

  • Private Key
  • Server Certificate (crt, puplic key)
  • (optional) Intermediate CA and/or bundles if signed by a 3rd party

How to create a self-signed PEM file:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

How to create a PEM filefrom existing certificate files that form a chain:

  • (optional) Remove the password from the Private Key by following the steps listed below:
    • Type openssl rsa -in server.key -out nopassword.key and press Enter.
    • Enter the pass phrase of the Private Key.
  • Combine the private key, public certificate and any 3rd party intermediate certificate files:
    • cat nopassword.key > server.pem
    • cat server.crt >> server.pem
      • Repeat this step as needed for third-party certificate chain files, bundles, etc:

        cat intermediate.crt >> server.pem


    • No Related Posts

    Endpoint Agent 15.1 Deployment via AD

    I need a solution

    Hi, everyone.

    As per title, I would like to deploy Endpoint Agents for DLP 15.1 via AD.

    I have read this article:…

    However, what I don’t understand is that the article did not mention anything regarding the pem files as the agent packages that I have generated contains these following files as shown in the file attached in this post.

    So I understand that the msi file can be transformed into mst with the parameters from the install batch file but how do I include the pem files and deploy them via AD?

    Thanks in advance.