Using Device Certificates for Authentication

Citrix Gateway supports the device certificate check that enables you to bind the device identity to a certificate’s private key. The device certificate check can be configured as part of classic or advanced EPA policies. In classic EPA policies, the device certificate can be configured only for preauthentication EPA.

Citrix Gateway verifies the device certificate before the endpoint analysis scan runs or before the logon page appears. If you configure endpoint analysis, the endpoint scan runs to verify the user device. When the device passes the scan and after Citrix Gateway verifies the device certificate, users can then log on to the NetScaler Gateway.


  • By default, Windows mandates admin privileges for accessing device certificates.
  • To add a device certificate check for non-admin users, you must install the VPN plug-in. The VPN plug-in version must be the same version as the EPA plug-in on the device.
  • If you install two or more device certificates on Citrix Gateway, users must select the correct certificate when they start to log on to Citrix Gateway or before the endpoint analysis scan runs.
  • When you create the device certificate, it must be an X.509 certificate.

For more information about creating device certificates, see the following:

To use device certificate based authentication on a virtual server for classic EPA policy

After you create the device certificate, you install the certificate on Citrix Gateway by using the procedure for Importing and Installing an Existing Certificate to Citrix Gateway.

  1. On the Configuration tab, navigate to Citrix Gateway > Virtual Servers.
  2. On the Citrix Gateway Virtual Servers page, select an existing virtual server and click Edit.
  3. On the VPN Virtual Servers page, under Basic Settings section, click Edit.
  4. Clear the Enable Authentication box to disable authentication.
  5. Select the Enable Device Certificate box to enable device certificate
  6. Click Add to add an available device certificate issuer’s CA certificate name to the list.
  7. For binding a CA certificate to the virtual server, click CA certificate under the CA for Device Certificate section, click Add, select the certificate, and then click +.

Note: For information on enabling and binding device certificates on a virtual server for advanced EPA policy, see Device Certificate in nFactor as an EPA component.