It’s been a while since I provided an update to the CLI for importing a PKCS#12 (PFX) certificate onto a Citrix ADC FIPS appliance, and it’s something that is frequently asked about. I’ll provide an updated set of commands to import from PFX to the FIPS appliance and then at the end provide what you would do in an HA pair along with what changes if you don’t have FIPS and are just looking for steps to import the PFX for use on the non-FIPS hardware.
As the FIPS line of Citrix ADCs has recently had an addition to the line up, this article applies to the following hardware models.
- Citrix ADC MPX 9700/10500/12500/15500 FIPS
- Citrix ADC MPX 14020/14030/14060/14080 FIPS
- Citrix ADC SDX 14030/14060/14080 FIPS with FIPS Enabled Instances
The following steps were tested on an MPX 15500 FIPS running 12.1-69.19 and an MPX 14080 FIPS running 13.0-79.64
For this test, I will be using a PFX certificate that I generated from my internal Windows Certificate Authority. You can also use a PFX from a public CA, the steps will be the same. I’ll be using a PFX file named “Internal_Wildcard_Certificate.pfx”.
Login to the Citrix ADC GUI and navigate to “Traffic Management / SSL / SSL Files” then click the “Certificates” tab. Here you can upload the PFX from you local computer. You could also use an SCP utility to upload the file as well, just be sure to place it under “/nsconfig/ssl/”.
Open an SSH session to the Citrix ADC, I’ll be using PuTTY, and login as the nsroot user.
1. The first command we are going to run will use the openssl utility to export the certificate file from the PFX. You will be asked to enter the password for the PFX if there is one.
shell openssl pkcs12 -in "/nsconfig/ssl/Internal_Wildcard_Certificate.pfx" -nokeys -out "/nsconfig/ssl/Internal_Wildcard_Certificate.cer"2. The next command will convert the certificate to the PEM format that will be needed when we install it later on.
shell openssl x509 -in "/nsconfig/ssl/Internal_Wildcard_Certificate.cer" -out "/nsconfig/ssl/Internal_Wildcard_Certificate.pem"3. Next we are going to export the private key file from the PFX. Once again, you will be prompted for the PFX password. The key will be left unencrypted on the filesystem so we are going to delete it later in the process once we have imported it into the FIPS HSM.
shell openssl pkcs12 -in "/nsconfig/ssl/Internal_Wildcard_Certificate.pfx" -nocerts -out "/nsconfig/ssl/Internal_Wildcard_Certificate.key" -nodes4. This command will convert the private key file to a PEM format.
shell openssl rsa -in "/nsconfig/ssl/Internal_Wildcard_Certificate.key" -out "/nsconfig/ssl/Internal_Wildcard_Certificate.pem.key"5. Finally, the step that most of us have been waiting for, importing the private key file into the FIPS HSM.
import ssl fipskey Internal_Wildcard_Certificate -key /nsconfig/ssl/Internal_Wildcard_Certificate.pem.key -inform PEM6. Now to install the SSL Certificate for use on the appliance. Here we are also specifying to use the newly imported FIPS key.
add ssl certKey Internal_Wildcard_Certificate -cert Internal_Wildcard_Certificate.cer -fipsKey Internal_Wildcard_Certificate -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NO7. Finally, a bit of clean up. Now that the private key file was imported into the FIPS HSM, we can remove the plain text file from the file system on the appliance. We want to do this for increased security as the file is not longer needed for operation.
shell rm /nsconfig/ssl/Internal_Wildcard_Certificate.key
shell rm /nsconfig/ssl/Internal_Wildcard_Certificate.pem.keyAnd that’s it, you’ve now imported the private key to the FIPS HSM and installed the SSL Certificate for use with that FIPS key. Below are two optional processes for:
- I have an HA pair, what’s next?
- FIPS what? Just help me get the PFX on my non-FIPS Citrix ADC
I have an HA pair, what’s next? If you have an HA pair for Citrix ADCs, and I hope you do, these few additional steps will help you get the FIPS key moved to the other appliance. First, let’s assume my primary node is 10.37.2.81 and my secondary node is 10.37.2.82.
Before this process will work, your two Citrix ADC FIPS appliances MUST be “in SIM”. What this means is that you have synchronized both FIPS modules with the source appliances secrets that allow these keys to be used on either system. This process can be done with many other appliances, not just in an HA pair. For example, if you have 2 HA pairs (1 in each data center) you could perform SIM on each of those appliances to they can all use the same FIPS keys between each other. I have some commands already written up for this process found in the txt linked here.
https://github.com/shilllabs/Citrix-ADC-FIPS/blob/master/Setting%20up%20FIPS%20-%20SIM%20-%20HA%20on%2012.1%20Pair.txt
1. With an HA pair where both appliances are “in SIM” we can run the following command to export a FIPS key on the primary node and copy it to the secondary node.
export ssl fipsKey Internal_Wildcard_Certificate -key Internal_Wildcard_Certificate.fipskey
shell scp /nsconfig/ssl/Internal_Wildcard_Certificate.fipskey nsroot@10.37.2.82:/nsconfig/ssl/2. Now, connect over SSH to the secondary node as the nsroot user account and run the following
import ssl fipsKey Internal_Wildcard_Certificate -key Internal_Wildcard_Certificate.fipskey -inform SIMYou now have the FIPS key imported and shared on both FIPS appliances.
FIPS what? Just help me get the PFX on my non-FIPS Citrix ADC. If you are looking to just take a PFX certificate and use it on a non-FIPS ADC, you can perform steps 1-4 above but skip step 5 and run the following command
add ssl certKey Internal_Wildcard_Certificate -cert Internal_Wildcard_Certificate.cer -key Internal_Wildcard_Certificate.pem.key -inform PEM -expiryMonitor ENABLED -notificationPeriod 30 -bundle NONow, you won’t want to delete the files from the file system as we did with the FIPS appliance because on the non-FIPS hardware, we store these files on the direct file system.
And that’s it, I hope that helped, let me know if you have any questions.
Thanks,
Shane
shilllabs.com 
I am getting an internal error when trying to install the CERT. Multiple searches on the web prove fruitless. nothing showing in the NSlog with the error, i even attempted the command line, everything is flawless until the cert install. Any ideas?
Was the import of the pfx successful and you’re receiving the internal error when attempting to install the cert with the imported key? Or are you having an issue with importing the RSA key as a FIPS key? I have seen that sometimes you need to “convert” the cert or the key file again.
For the cert from PEM to PEM, sometimes this fixes any formatting problems.
openssl x509 -inform pem -in /nsconfig/ssl/mycert.cer -outform pem -out /nsconfig/ssl/mycert2.cer
Or extracting the cert from the pfx without the key
openssl pkcs12 -in /nsconfig/ssl/mycert.pfx -clcerts -nodes -nokeys -out /nsconfig/ssl/mycert.cer
And lastly extracting the key from the pfx without the cert
openssl pkcs12 -in /nsconfig/ssl/mycert.pfx -nocerts -out /nsconfig/ssl/mycert.key
Then you can try the import to the FIPS module
import ssl fipsKey mycertfipskey -key “/nsconfig/ssl/mycert.key” -inform PEM -exponent F4
Then installing the cert using the FIPS key
add ssl certKey mycert -cert /nsconfig/ssl/mycert.cer -fipsKey mycertfipskey -inform PEM
Hope that helps.
Thanks for the quick reply, the pfx import was a success, I am able to extract and import a FIPS key, the internal error is coming when i try to install the Cert (via GUI and CLI). I will read through your suggestions and give them a try.
Thank you!