NetScaler,NetScaler Gateway
NetScaler 10,NetScaler 9_3,Access Gateway 10
This article describes how to update or replace an SSL certificate on NetScaler.


When updating or replacing an SSL certificate on a virtual server or service you do not have to unbind the original Secure Socket Layer (SSL) certificate before binding a new SSL certificate.

WARNING! When you update an SSL certificate, it minimizes the time the virtual servers are not available compared to the time that is taken to manually unbind an SSL certificate, delete the SSL certificate, add a new SSL certificate, and bind the new SSL certificate.

Even though the SSL virtual server is not available for some time, any connections established to the virtual server are disconnected when the SSL certificate is updated.

The disconnected connections must be reconnected by the end user. The disconnected connections can be reconnected automatically depending on the client software used. Web browser clients can be expected to reconnect automatically on the next HTTP GET or POST performed by the web browser. NetScaler Gateway SSL VPN clients reconnect automatically. ICA connection clients can only reconnect if Session Reliability is enabled in the Web Interface site configuration or Cloud Gateway configuration.

To update a certificate from the GUI of the appliance, complete the following procedure:

  1. For NetScaler navigation panel expand Traffic Management and click SSL node.

    User-added image

  2. Click Certificates.

  3. In the SSL Certificates page, select the certificate you want to update.

  4. Click Update.

    User-added image

    User-added image

  1. For the Certificate File Name, click Browse and navigate and select the appropriate certificate file.

  2. For the Private Key File Name, click Browse and navigate and select the appropriate key file.

  3. If the certificate is password protected, specify the password in the Password field.

  4. Select the appropriate Format option.

  5. Click OK.

Use the following command to update the certificate from the command line interface:
update ssl certkey <Cert_Key_Name> [-cert <String>]
[(-key <String> [-password]) | -fipsKey <String>]
[-inform (DER|PEM)][-noDomainCheck]

Additional Resources

For an example and additional information, refer to Citrix Documentation -??Adding or Updating a Certificate-Key Pair.
Note: If the private key is password protected, you must specify the password. If you do not do so, you are prompted to specify the password.

For more information on managing certificates on NetScaler refer to??Citrix Documentation - Managing Certificates.

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support