XM Certificates Test

In Endpoint Management, certificates are used to create secure connections and authenticate users.

By default, Endpoint Management comes with a self-signed Secure Sockets Layer (SSL) certificate that is generated during installation to secure the communication flows to the server. Citrix recommends you replace the SSL certificate with a trusted SSL certificate from a well-known certificate authority (CA). Endpoint Management requires a certificate from the Apple Push Notification service (APNs). Endpoint Management also uses its own Public Key Infrastructure (PKI) service or obtains certificates from the CA for client certificates.

The following table shows the certificate format and type for each Endpoint Management component:

Endpoint Management component Certificate format Required certificate type

NetScaler Gateway



SSL, Root

NetScaler Gateway converts PFX to PEM automatically.

Endpoint Management server

PEM or



Endpoint Management also generates a full PKI during the installation process.



SSL, Root

All Citrix products support wildcard and Subject Alternative Name (SAN) certificates. For most deployments, you only need two wildcard or (SAN) certificates.

For NetScaler Gateway and the Endpoint Management server, Citrix recommends obtaining server certificates from a public CA, such as Verisign, DigiCert, or Thawte. You can create a Certificate Signing Request (CSR) from the NetScaler Gateway or the Endpoint Management configuration utility. After you create the CSR, you submit it to the CA for signing. When the CA returns the signed certificate, you can install the certificate on NetScaler Gateway or Endpoint Management.

NetScaler Gateway supports the use of client certificates for authentication. Users logging on to NetScaler Gateway can also be authenticated based on the attributes of the client certificate that is presented to the virtual server. Client certificate authentication can also be used with another authentication type, such as LDAP or RADIUS, to provide two-factor authentication.

To authenticate users based on the client-side certificate attributes, client authentication should be enabled on the virtual server and the client certificate should be requested. You must bind a root certificate to the virtual server on NetScaler Gateway.

When users log on to NetScaler Gateway, after authentication, the user name information is extracted from the specified field of the certificate. Typically, this field is Subject:CN. If the user name is extracted successfully, the user is then authenticated. If the user does not provide a valid certificate during the Secure Sockets Layer (SSL) handshake or if the user name extraction fails, authentication fails.

You can authenticate users based on the client certificate by setting the default authentication type to use the client certificate. You can also create a certificate action that defines what is to be done during the authentication based on a client SSL certificate.

The Endpoint Management Public Key Infrastructure (PKI) integration feature allows you to manage the distribution and life cycle of security certificates used on your devices.

Endpoint Management creates an internal PKI for device authentication during the installation process.

External PKIs can also be used to issue certificates to devices to be used in configuration policies or for client authentication to NetScaler Gateway.

The main feature of the PKI system is the PKI entity. A PKI entity models a back-end component for PKI operations. That component is part of your corporate infrastructure, such as a Microsoft, RSA, Entrust, Symantex, or OpenTrust PKI. The PKI entity handles the back-end certificate issuance and revocation. The PKI entity is the authoritative source for the certificate’s status. The Endpoint Management configuration will normally contain exactly one PKI entity per back-end PKI component.

The second feature of the PKI system is the credential provider. A credential provider is a particular configuration of certificate issuance and life cycle. The credential provider controls things like the certificate format (subject, key, algorithms) and the conditions for its renewal or revocation, if any. The credential providers delegate operations to the PKI entities. In other words, although credential providers control when and with what data PKI operations are undertaken, PKI entities control how those operations are performed. The Endpoint Management configuration normally contains many credential providers per PKI entity.

If an active certificate suddenly expires, applications will no longer be able to communicate with Endpoint Management and vice-versa. To avoid this, administrators should proactively identify certificates nearing expiry and renew the certificates. This is where the XM Certificates test helps. This test captures the expiry date of all active certificates, computes how long each active certificate will remain valid, and proactively alerts administrators if any certificate is nearing expiry.

Target of the test : A Citrix Endpoint Management

Agent deploying the test : A remote agent

Outputs of the test : One set of results for every active SSL certificate installed on Endpoint Management.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.


The host for which the test is to be configured.


The port at which the specified host listens. By default, this is 4443.

Report Only Active Certificates

By default, this flag is set to Yes, indicating that this test reports the validity of active certificates only. To ensure that the test reports the validity of all certificates, set this flag to No.

Username and Password

Specify the credentials of a Endpoint Management user with Administrator privileges.

Confirm Password

Confirm the password by retyping it here.


Indicate whether/not the Endpoint Management server is SSL-enabled. By default, this flag is set to Yes

Measurements made by the test
Measurement Description Measurement Unit Interpretation


Indicates the current status of this SSL certificate.


The values that this measure reports and their corresponding numeric values are listed in the table below:

Measure Value Numeric Value
Valid 1
Invalid 0


By default, this measure reports the Measure Values discussed in the table above. However, in the graph of this measure, the status of the certificate is indicated using the numeric equivalents only.

Valid up to

Indicates how long this certificate will remain valid.


A high value is desired for this measure. A very low value indicates that the certificate is about to expire very soon. You may want to consider renewing the certificate before this eventuality strikes.

Use the detailed diagnosis of this measure to know the exact date on which the certificate will expire.