Using Device Certificates for Authentication

Citrix Gateway supports device certificate check that enables you to bind the device identity to a certificate’s private key. The device certificate check can be configured as part of classic or advanced EPA policies. In classic EPA policies, device certificate can be configured only for preauthentication EPA.

If you install two or more device certificates on Citrix Gateway, users need to select the correct certificate when they start to log on to Citrix Gateway or before the endpoint analysis scan runs.

When you create the device certificate, it must be an X.509 certificate.

Important: By default, Windows mandates admin privileges for accessing device certificates. To add device certificate check for non-admin users, you must install the VPN plug-in. The VPN plug-in version must be the same version as the EPA plug-in on the device.

For more information about creating device certificates, see the following:

To enable and bind device certificates on a virtual server for classic EPA policy

After you create the device certificate, you install the certificate on Citrix Gateway by using the procedure for Importing and Installing an Existing Certificate to Citrix Gateway. After you install the certificate, you bind the certificate to the virtual server.

  1. In the configuration utility, navigate to Citrix Gateway > Virtual Servers.
  2. In the details pane, click a virtual server and then click Edit.
  3. In the Virtual Server details pane, click the pencil icon then expand More.
  4. Select Enable Device Certificate.
  5. In the selection dialog that appears, select Add and then click a device certificate to enable. Click the plus icon next to the chosen device certificate and then click OK.

Note: For information on enabling and binding device certificates on a virtual server for advanced EPA policy, see Device Certificate in nFactor as an EPA component.