Step by Step – Configure Citrix Netscaler for Mutual TLS authentication with PhenixID Authentication Services


This document will guide you through the steps to configure Citrix NetScaler for certificate authentication with mutual TLS.

This will enable usage of SmartCard authentication in PAS.

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • Citrix Netscaler admin rights



This document will guide you through the steps to configure Netscaler for Mutual TLS.

The configuration for PAS to receive the http-header with the certificate is documented at the PAS documentation.  Look for HeaderBasedCertificate or HeaderBasedCertificateSAML authenticators.

Configure TrustStore

The first step is to configure which certificates the Netscaler should trust. This is done by entering the CA certificates under Traffic Management> Load Balancing> Virtual Servers

For everything to work, you must also bring the root certificate (so that you get the whole chain). By checking the box “Skip CA” when entering the root certificate, it will not be sent to the client browser.

Then enter the intermediate certificates you want to present to the browser. This way you can get the client browser to send certificates for example HSA ID but not social security number (which has another intermediate).

Specify URI for mutual TLS demand

The second step is to specify in which subdirectories the Netscaler must require client certificates. Create an SSL Policy that turns on a specific subdirectory and then an SSL Action that requires us to have a client certificate to access that directory.

Send certificate to PAS in HTTP-header

The last step, after Netscaler has approved the client certificate, is to forward it to the backend servers in an HTTP header. Then you need another SSL Action that turns on the same directory and an SSL Policy that writes the entire certificate in a header. The header must be configured with the same name as PAS is configured to receive the header.

Verify configuration

This image is an example with two different URI:s configured for mutual TLS.

Configure PAS

Now it’s time to configure PAS for client certificate authentication

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -