Product Documentation


Feb 24, 2016

You use certificates in XenMobile to create secure connections and authenticate users.

By default, XenMobile comes with a self-signed Secure Sockets Layer (SSL) certificate that is generated during installation to secure the communication flows to the server. Citrix recommends you replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority (CA).

XenMobile also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates. All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or (SAN) certificates.

To enroll and manage iOS devices with XenMobile, you need to set up and create an Apple Push Notification service (APNs) certificate from Apple. For steps, see Requesting an APNs Certificate.

The following table shows the certificate format and type for each XenMobile component:

XenMobile component Certificate format Required certificate type
NetScaler Gateway PEM (BSAE64)


SSL, Root

NetScaler Gateway converts PFX to PEM automatically.

XenMobile server PEM or



XenMobile also generates a full PKI during the installation process.

StoreFront PFX (PKCS#12) SSL, Root

For NetScaler Gateway and the XenMobile server, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway or the XenMobile configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or XenMobile.

Configuring Client Certificates for Authentication

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to NetScaler Gateway can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

Device authentication with Netscaler Gateway is not supported for certificates obtained through a discretionary CA.

When users log on to NetScaler Gateway, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

XenMobile PKI

The XenMobile Public Key Infrastructure (PKI) integration feature allows you to manage the distribution and life cycle of security certificates used on your devices.

XenMobile creates an internal PKI for device authentication during the installation process.

External PKIs can also be used to issue certificates to devices to be used in configuration policies or for client authentication to NetScaler Gateway.

The main feature of the PKI system is the PKI entity. A PKI entity models a back-end component for PKI operations. That component is part of your corporate infrastructure, such as a Microsoft, RSA, Entrust, Symantex, or OpenTrust PKI. The PKI entity handles the back-end certificate issuance and revocation. The PKI entity is the authoritative source for the certificate’s status. The XenMobile configuration will normally contain exactly one PKI entity per back-end PKI component.

The second feature of the PKI system is the credential provider. A credential provider is a particular configuration of certificate issuance and life cycle. The credential provider controls things like the certificate format (subject, key, algorithms) and the conditions for its renewal or revocation, if any. The credential providers delegate operations to the PKI entities. In other words, although credential providers control when and with what data PKI operations are undertaken, PKI entities control how those operations are performed. The XenMobile configuration normally contains many credential providers per PKI entity.