Send user certificate identity as an email attachment to iOS users

Citrix SSO on iOS supports client certificate authentication with Citrix Gateway. On iOS, certificates can be delivered to the Citrix SSO app in one of following ways:

  • MDM server - This is the preferred approach for MDM customers. Certificates are configured directly on the MDM managed VPN profile. Both VPN profiles and certificates are then pushed to enrolled devices when the device enrolls into the MDM server. Please follow MDM vendor specific documents for this approach.

  • Email - Only approach for non-MDM customers. In this approach, administrators send an email with the User Certificate identity (Certificate and private key) attached as a PCKS#12 file to users. Users need to have their email accounts configured on their iOS device to receive the email with attachment. The file may then be imported to the Citrix SSO app on the iOS. The following section explains the configuration steps for this approach.

Prerequisites

  • User Certificate - A PKCS#12 identity file with a .pfx or .p12 extension for a given user. This file contains both the certificate and the private key.

  • Email account configured on the iOS device.

  • Citrix SSO app installed on the iOS device.

Configuration steps

1. Rename the Extension/MIME type of the User Certificate.

File extensions most commonly used for user certificate are “.pfx,” “.p12,” and so forth. These file extensions are non-standard to the iOS platform unlike formats such as .pdf, .doc. Both “.pfx” and “.p12” are claimed by the iOS System and cannot be claimed by third-party apps such as Citrix SSO. Hence Citrix SSO has defined a new Extension/MIME type called “.citrixsso-pfx” and “.citrixsso-p12”. Administrators must change the Extension/MIME type of the User Certificate, from standard “.pfx” or “.p12” to “.citrixsso-pfx” or “.citrixsso-p12” respectively. To rename the extension, admins can run the following command on Command prompt or terminal.

Windows 10

cd <DIRECTORY_PATH_TO_CERTIFICATE_FILE>
rename <CERTIFICATE_FILE_NAME>.pfx <CERTIFICATE_FILE_NAME>.citrixsso-pfx

macOS

cd <DIRECTORY_PATH_TO_CERTIFICATE_FILE>
mv <CERTIFICATE_FILE_NAME>.pfx <CERTIFICATE_FILE_NAME>.citrixsso-pfx

2. Send the file as an email attachment. The User Certificate file with the new extension can be sent as an email attachment to the user.

On receipt of the email, users must install the certificate in Citrix SSO app.

Send user certificate identity as an email attachment to iOS users