Free SSL Certificates with Let’s Encrypt and NetScaler

Share Button

While working with Citrix NetScaler appliances i am requesting new public signed certificates every so often. However sometimes you might want to test your configuration first before buying the certificates. One way of doing this is with selfsigned certificates, another is with a free SSL service like Let’s Encrypt.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
It is a service provided by the Internet Security Research Group (ISRG).

They provide certificates with a lifetime of 90 days and renewing a certificate is done within a couple of minutes, which is perfect for testing, a homelab or small environments.

In this blog article i will explain:

  • How to install and configure a Linux appliance for use with Let’s Encrypt
  • How to configure your NetScaler with a responder policy for domain validation
  • How to request and export the Certificates from the Linux appliance and import them onto your NetScaler
  • And Finally how to bind them to your a NetScaler Virtual Server

As i wanted to setup the configuration with a low footprint on my environment i decided to install the Linux appliance based on CentOS 7 minimal edition, which you can find at

Install CentOS

Welcome to CentOS Linux 7


Installation Summary


Select Installation Destination and select the disk


Select Network & Hostname and configure your Network


Next Begin Installation and set a ROOT Password


Finish Installation and Reboot

Once Rebooted you can connect with an SSH Client to the configured IP address



Install Let’s Encrypt

Login as root and the password you set earlier:


First we are going to enable the EPEL repository

sudo yum install epel-release


Now we can install Certbot which contains the components for Let’s Encrypt

sudo yum install certbot

If the installation succeeded you are ready to configure your NetScaler



Configure NetScaler Responder Policy

Login to your NetScaler and go to AppExpert > Responder > HTML Page Imports

Create a HTML page

Name: HTML_LetsEncrypt
Import From: Text
Text Field: ***  TEST  ***


Next go to Responder Actions > ADD

Name: ACT_LetsEncrypt
Type: Respond with HTML Page
HTML Page: HTML_LetsEncrypt
Response Status Code: 200


Next go to Responder Policies > ADD

Name: RESP_LetsEncrypt
Action: ACT_LetsEncrypt
Expression: true


Now that we have a Responder Policy Created we can bind it to a Content Switch

Go to Traffic Management > Content Swiching

Select Virtual Servers > ADD

Name: CS_LetsEncrypt
Protocol: HTTP
IP Address: one that is accesible from the internet through Firewall or otherwise


Select Policies from the Right Side and add the Responder Policy

Select the responder policy RESP_LetsEncrypt and select BIND


Finally Select Done to create the Content Switch


In the above steps we have created a responder policy and bound it to a new Content Switching Virtual Server.
Before requesting a certificate, validate that the website is reachable from the internet, this should show the content of the HTML page we created.


Request a Certificate

Now that you confirmed that the reponder policy is working we can request a certificate from the Linux appliance.

certbot certonly –manual –email -d –rsa-key-size 2048


Agree on the Terms of Service


When you have accepted the above you get the “Press ENTER to continue”…However before doing so we need to copy the marked string and place it in the HTML Page that we created with the reponder Policy.


Again you can confirm this by opening the website

When requesting the certificate Let’s Encrypt will first validate that website by checking the string value.

Finally  we can press Enter to continue

When the certificate request had been validated, you will see a Congratulations! 🙂

Next browse to /etc/letsencrypt/live/

Here we find the following files:

cert.pem > Server Certificate
chain.pem > Root and Intermediate Certificates
fullchain.pem > Server and chain Certificates
privkey.pem > Private Key for Server Certificate

As a last step we need to change the format of the Server Certificate and private key to have it imported on the NetScaler.
For this we use OpenSSL:

openssl rsa -outform der -in privkey.pem -out privkey.key
openssl x509 -outform der -in cert.pem -out cert.cer

Finally we copy the files over to the NetScaler, which we can do directly with SCP

scp /etc/letsencrypt/live/* nsroot@

Or through an FTP Program like WinSCP

Once this has been done, you can safely switch off the Linux appliance and disable the content switch untill the next certificate request.



Install Certificate on NetScaler

Go to Traffic Management > SSL > SSL Certificate > CA Certificates


Next go to Traffic Management > SSL > SSL Certificate > Server Certificates



Finally Link the Server certificate to the CA Certificate


Finally the certificate is ready and can be bound to your vServer

When you have to renew your certificates or want to request new ones you only have to repeat the steps:

  • Request a Certificate
  • Install Certificate on Netscaler


Thank you for reading and feel free to leave a commment.

Share Button

Martijn van Willigen

Martijn van Willigen works a Technical Consultant at Detron. With a focus on Citrix NetScaler, XenApp, XenDesktop, XenMobile, ShareFile, Cloudplatform, XenServer, VMware ESX, RES Software and Cisco.

Leave a Reply

Your email address will not be published. Required fields are marked *