After reading, the Citrix blog about using Let’s Encrypt certificate I decided to try this out on my test environment. Source =

I found that I was able to get a free Let’s Encrypt certificate for my test environment, but I also find that when only having one public IP address I needed a SAN certificate to do my testing of different functions on the NetScaler and backend resources.

I flowed the Citrix blog all the way up to Steep 2, where I did some changes:

Step 2, multi hostname response:

As we are requesting a SAN certificate Let’s Encrypt is testing for every hostname and the response code. First, create all the FQDN’s to point to your NetScaler at your DNS provider.

Create html response page for the FQDN’s:

Netscaler > AppExpert > Responder > HTML Page Imports


Create additional FQDN’s response:


Now create responder actions for every FQDN’s

Netscaler > AppExpert > Responder > Action


Create responder policies to point the and to the corresponding html page.

Netscaler > AppExpert > Responder > Policies


Create content switching vserver on port 80. This is where firewall rules, routes, etc. should be added.

NetScaler -> Traffic Management -> Content Switching -> Content Switching Virtual Servers


Bind your responder policies to this content switching server.


Add binding for other responder policies.


Before continuing test the response for and The replay would be citrix and sts, if the responder action, policy and content switching configuration is correct.

Step 3: Create the certificate request

To make the SAN certificate request connect to the Let’s Encrypt server on ssh and run the flowing command:

certbot certonly -–manual –-email -d -d –-rsa-key-size 2048


Copy the marked code to the responder html page for


Do the same for the


Copy the marked code to the responder html page for


Before continuing test the 2 pages is responding with it’s uniq code. When you have tested the response go on:

Let’s Encypt will validate that the page presented contains the expected text and will then issue the certificate, assuming that your responder is properly working and the response matches what Let’s Encrypt expects.

Upon success, Let’s Encrypt will produce a set of files in /etc/letsencrypt/live/  These PEMs need to be converted before they will work with the netscaler.

  • pem – the actual server cert
  • pem – the intermediate certificates required
  • pem – the server cert + the chain
  • pem – the private key for the server cert

To get the certificate installed on the NetScaler flow Step 4, on

Let’s Encrypt will support wildcard certificates in 2018, but for now we can get a SAN certificate with multiple FQDN’s. With NetScaler Content Switching we can then control multiple sites on one public IP.