Hi all! Here I demonstrate how to import an external PKCS#12 (PFX) certificate, that contains the private key, into the Citrix NetScaler FIPS HSM. Then I’ll install the server certificate using the FIPS key and bind to a vServer. The converted PFX (callback.cer) and the PFX certificate files after step 1 will be deleted from the file system after importing into the HSM. We want to do this because the private RSA key is listed in that file. After successfully importing the key into the HSM, we should install the certificate from a PKCS7 or export without the private key. You could manually remove that section of the .cer file if you wish as well.
The appliance used in this demo is a NetScaler MPX FIPS 14030 on software 10.5-59.1361.
Here is the CLI to perform these actions.
- convert ssl pkcs12 callback.cer -import -pkcs12File callback_cert.pfx -certFile callback_cert.pfx -password “********”
- import ssl fipsKey callback_fips_key -key “/nsconfig/ssl/callback.cer” -inform PEM -exponent 3
- <delete /nsconfig/ssl/callback.cer from filesystem>
- add ssl certKey callback_cert -cert callback_cert_noprivkey.cer -fipsKey callback_fips_key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO
- bind ssl vserver callback -priority 0 -certkeyName callback_cert -crlCheck Optional
Please let me know if you have any questions on this process. I’ve demo’d this via the GUI in the video below. Thanks for reading!