Momentarily I’m working a lot with NetScaler and SHA256 certificates. I noticed that with the change to SHA256 certs the NetScaler has some difficulties importing. The error you get is: Invalid private key, or PEM pass phrase required for this private key.

I found two ways to solve this using OpenSSL. One is to just decrypt the key, but I wouldn’t recommend that. You can do so using the following command:

openssl rsa -in private_key_encrypted.key -out private_key_decrypted.key

The better way is to create a keypair in DER format. I assume you already have your public key (.cer) and your private key (.key) ready to go. If you still need to extract them from eg. a PFX search my blog cause I wrote some articles about how you can accomplish that.

To create the DER keypair:

openssl rsa -inform PEM -outform DER -in keyfile-encrypted-PEM.key -out keyfile-encrypted-DER.key
openssl x509 -inform PEM -outform DER -in public-key-PEM.cer -out public-key-DER.cer

After completion you can import the keypair in DER format in the NetScaler