In order to import the SSL file to XenMobile you need to have the key file as XenMobile need the key in order to decrypt your traffic.


When you go to GoDaddy, DigiCert, Symantec, etc the files that you can download from there are certificates and usually, it doesn’t have the key embedded into the file.

Why they don’t have your key?
Because that is something that you did the first time you created certificate request and that key is stored on the IIS server, NetScaler, or  in the SSL Listener certificate inside the XenMobile, also remember that if you have a pfx file with the old certificate the key should be there and you can extract that information using OpenSSL.

In order to create a PEM file Manually you can follow this process:

1) Open Notepad and add the key that is inside the pfx file or inside the old pm file (You should be able to export the file from the XM console and then extract the file using a text editor)
2) Then add the certificated that you downloaded from your Certificate Authority
3) Then add the Intermediate and the root certificate as the following explication.
—–BEGIN RSA PRIVATE KEY—– (Your Private Key: your_domain_name.key)
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—– (Your Primary SSL certificate: your_domain_name.crt)
—-END CERTIFICATE—–
—–BEGIN CERTIFICATE—– (Your Intermediate certificate: DigiCertCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—– (Your Root certificate: TrustedRoot.crt)
—–END CERTIFICATE—–

4) Once you have created that file you will get a certificate with all the certificate chain + the key inside of it.

How do I extract the key from a pfx file?
Go to the NetScaler CLI Export the private key file from the pfx file using this command openssl pkcs12 -in the filename.pfx -nocerts –out the_key.pem 

Note: if you don’t have a NetScaler you can install OpenSSL on a Linux appliance and extract the key using the command provided before