Send user certificate identity as an email attachment to iOS users

Important:

Citrix SSO for iOS is now called Citrix Secure Access. We are updating our documentation and the UI screenshots to reflect this name change.

Citrix Secure Access on iOS supports client certificate authentication with NetScaler Gateway. On iOS, certificates can be delivered to Citrix Secure Access in one of following ways:

  • MDM server - This is the preferred approach for MDM customers. Certificates are configured directly on the MDM managed VPN profile. Both VPN profiles and certificates are then pushed to enrolled devices when the device enrolls into the MDM server. Please follow MDM vendor specific documents for this approach.

  • Email - Only approach for non-MDM customers. In this approach, administrators send an email with the User Certificate identity (Certificate and private key) attached as a PCKS#12 file to users. Users need to have their email accounts configured on their iOS device to receive the email with attachment. The file may then be imported to Citrix Secure Access on the iOS. The following section explains the configuration steps for this approach.

Prerequisites

  • User Certificate - A PKCS#12 identity file with a .pfx or .p12 extension for a given user. This file contains both the certificate and the private key.

  • Email account configured on the iOS device.

  • Citrix Secure Access installed on the iOS device.

Configuration steps

  1. Rename the Extension/MIME type of the User Certificate.

    File extensions most commonly used for user certificate are “.pfx,” “.p12,” and so forth. These file extensions are non-standard to the iOS platform unlike formats such as .pdf, .doc. Both “.pfx” and “.p12” are claimed by the iOS System and cannot be claimed by third-party apps such as Citrix Secure Access. Hence Citrix Secure Access has defined a new Extension/MIME type called “.citrixsso-pfx” and “.citrixsso-p12”. Administrators must change the Extension/MIME type of the User Certificate, from standard “.pfx” or “.p12” to “.citrixsso-pfx” or “.citrixsso-p12” respectively. To rename the extension, admins can run the following command on Command prompt or terminal.

    Windows 10

    cd <DIRECTORY_PATH_TO_CERTIFICATE_FILE>
    rename <CERTIFICATE_FILE_NAME>.pfx <CERTIFICATE_FILE_NAME>.citrixsso-pfx
    <!--NeedCopy-->
    

    macOS

    cd <DIRECTORY_PATH_TO_CERTIFICATE_FILE>
    mv <CERTIFICATE_FILE_NAME>.pfx <CERTIFICATE_FILE_NAME>.citrixsso-pfx
    <!--NeedCopy-->
    
  2. Send the file as an email attachment.

    The User Certificate file with the new extension can be sent as an email attachment to the user.

    On receipt of the email, users must install the certificate in Citrix Secure Access.

Send user certificate identity as an email attachment to iOS users