NetScaler

Deploy certificates to Citrix NetScaler ADC appliances via the NITRO API. Certificates can be automatically bound to SSL virtual servers for seamless load balancer integration.

Certificate Syncs are configured per Application. First select which certificates to sync, then configure the NetScaler destination.

Prerequisites

A NetScaler Connection with NITRO API access
The NetScaler must be accessible over HTTPS from Infisical (directly or via an Infisical Gateway)
User account with permissions to manage SSL certificates and bind them to vservers

Create a NetScaler Sync

Infisical UI
API

In your Application, go to the Certificate Syncs tab and click Create Sync.
Select the NetScaler option.
Configure the Destination:
- NetScaler Connection: The NetScaler Connection to authenticate with.
- SSL vServer Name (Optional): The SSL virtual server to bind the certificate to. Leave empty to only upload without binding.
Configure the Sync Options:
- Enable Removal of Expired/Revoked Certificates: Remove certificates from the destination if they are no longer active.
- Preserve Certificate on Renewal: Update the existing certkey object in place, preserving name and vServer bindings.
- Certificate Name Schema: Customize certificate names using {{certificateId}} placeholder.
- Auto-Sync Enabled: Automatically sync certificates when changes occur.
Configure the Details:
- Name: The name of your sync (slug-friendly).
- Description: Optional description.
Select which certificates should be synced.
Review and click Create Sync.

To create a NetScaler Certificate Sync, make an API request to the Create NetScaler PKI Sync endpoint.

Sample request

You can optionally specify certificateIds during sync creation to immediately add certificates to the sync. If not provided, you can add certificates later using the certificate management endpoints.

Request

curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/netscaler \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-netscaler-cert-sync",
    "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "description": "an example certificate sync",
    "connectionId": "550e8400-e29b-41d4-a716-446655440000",
    "destination": "netscaler",
    "isAutoSyncEnabled": true,
    "certificateIds": [
        "550e8400-e29b-41d4-a716-446655440000"
    ],
    "syncOptions": {
        "canRemoveCertificates": true,
        "preserveItemOnRenewal": true,
        "certificateNameSchema": "myapp-{{certificateId}}"
    },
    "destinationConfig": {
        "vserverName": "vs-ssl-prod"
    }
}'

Sample response

Response

{
    "pkiSync": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-netscaler-cert-sync",
        "description": "an example certificate sync",
        "destination": "netscaler",
        "isAutoSyncEnabled": true,
        "destinationConfig": {
            "vserverName": "vs-ssl-prod"
        },
        "syncOptions": {
            "canRemoveCertificates": true,
            "preserveItemOnRenewal": true,
            "certificateNameSchema": "myapp-{{certificateId}}"
        },
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "createdAt": "2026-03-31T00:00:00.000Z",
        "updatedAt": "2026-03-31T00:00:00.000Z"
    }
}

Certificate Management

The NetScaler Certificate Sync provides:

Automatic Deployment: Deploy certificates in Infisical to NetScaler sslcertkey objects with customizable naming.
Certificate Updates: Update certificates on NetScaler when renewals occur, with optional in-place replacement.
vServer Binding: Automatically bind certificates to SSL virtual servers for seamless load balancer integration.
Expiration Handling: Optionally remove expired or revoked certificates from NetScaler (if enabled).
Configuration Persistence: Automatically save the NetScaler running configuration after each sync to persist changes across reboots.

NetScaler Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.

How It Works

When syncing certificates, Infisical performs the following steps on the NetScaler appliance via the NITRO REST API:

Logs in to the NetScaler NITRO API using the configured credentials.
For each certificate:
- Uploads the certificate file (.cer) to /nsconfig/ssl/.
- Uploads the private key file (.key) to /nsconfig/ssl/.
- Creates or updates an sslcertkey object linking the cert and key.
- If a vServer is configured, binds the certkey to the SSL virtual server.
Saves the running configuration to persist changes across reboots.
Logs out of the session.

Certificate Renewal Behavior

When a certificate is renewed in Infisical, the behavior depends on the Preserve Certificate on Renewal option:

Preserve enabled (default): The existing certkey object is updated in place with the new certificate content. The certkey name and any vServer bindings are preserved. This is ideal for production environments where services reference the certkey by name.
Preserve disabled: A new certkey object is created with a unique name. The original certkey remains on the NetScaler. Both certificates coexist until the original is revoked or removed.

Removing Certificates

When certificate removal is enabled and a certificate is no longer active in Infisical:

Unbinds the certificate from any configured SSL virtual server.
Deletes the sslcertkey object.
Deletes the certificate and key files from /nsconfig/ssl/.
Saves the configuration.

Manual Certificate Sync

You can manually trigger certificate synchronization to NetScaler using the sync certificates functionality. This is useful for:

Initial setup when you have existing certificates to deploy
One-time sync of specific certificates
Testing certificate sync configurations
Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

FAQ

Can I import certificates from NetScaler back into Infisical?

NetScaler does not support importing certificates back into Infisical due to the nature of NetScaler appliances where private keys cannot be extracted from the system.

What’s Next?

AWS Certificate Manager

Import certificates into ACM for AWS services.

Auto-Renewal

Enable automatic certificate renewal and syncing.

Alerting

Get notified about certificate lifecycle events.

Other Sync Destinations

View all supported sync destinations.

Certificate Management

Product Reference

Reference

Prerequisites

Create a NetScaler Sync

Sample request

Sample response

Certificate Management

How It Works

Certificate Renewal Behavior

Removing Certificates

Manual Certificate Sync

FAQ

What’s Next?

AWS Certificate Manager

Auto-Renewal

Alerting

Other Sync Destinations

Certificate Management

Product Reference

Reference

Documentation Index

​Prerequisites

​Create a NetScaler Sync

​Sample request

​Sample response

​Certificate Management

​How It Works

​Certificate Renewal Behavior

​Removing Certificates

​Manual Certificate Sync

​FAQ

​What’s Next?

AWS Certificate Manager

Auto-Renewal

Alerting

Other Sync Destinations

Prerequisites

Create a NetScaler Sync

Sample request

Sample response

Certificate Management

How It Works

Certificate Renewal Behavior

Removing Certificates

Manual Certificate Sync

FAQ

What’s Next?