ADC

Dynamic client certificate generation

December 8, 2025

Contributed by:

Note:

Dynamic client certificate generation feature is available only in NetScaler FIPS release from 13.1-37.255 version onwards.

The dynamic client certificate generation feature allows NetScaler to facilitate end-to-end mutual Transport Layer Security (mTLS) communication. NetScaler achieves this by generating a new client certificate for the backend server-side handshake, using the information extracted from the client certificate provided during the client-side SSL handshake.

Traditional certificate-based authentication protocols, such as smart card authentication, require a complete end-to-end TLS handshake for client verification. Dynamic client certificate generation feature overcomes this restriction, allowing security teams to inspect encrypted traffic (through decryption and re-encryption) while still satisfying smart card or certificate-based authentication requirements.

How it works

When dynamic client certificate generation is enabled, the NetScaler seamlessly manages both the client-side and server-side mTLS handshakes:

Step	Client-Side Handshake (Client <-> NetScaler)	Server-Side Handshake (NetScaler <-» Server)
1	The client sends Client Hello.	NetScaler initiates a handshake with Client Hello to the backend server.
2	NetScaler responds with Server Hello and its configured certificate.	The server responds with Server Hello and its certificate.
3	NetScaler sends Certificate Request to the client (Client Authentication must be enabled on the front-end).	The server sends a Client Certificate Request to NetScaler.
4	The client responds with its certificate, and NetScaler verifies it.	NetScaler generates a new client certificate using the configured CA and sends it to the server (if the Dynamic Client Certificate Generation feature is enabled).
5	The client-side SSL handshake completes.	The server-side SSL handshake completes.

Some of the benefits are:

Customers can manage application availability using NetScaler while maintaining strong mutual TLS communication.
NetScaler decrypts, inspects the content, and then re-encrypts the TLS communication, even when Smart Card or certificate-based authentication is used.
By operating as a middleman, NetScaler enables content inspection combined with NetScaler Console SSL insights or any other third-party tool for enhanced observability.

Enable dynamic client certificate generation

Prerequisites

Ensure that the following is configured on the virtual server:
- The server certificate is to be served to clients.
- The CA certificate for verifying the client certificate such as the CA that issued the client’s actual certificate.
Enable the client certificate authentication on the front-end enhanced SSL profile.
Enable client certificate authentication on the backend origin server. The origin server must trust the NetScaler CA certificate used for generating the client certificates.
Ensure to migrate to the enhanced SSL profile. For more information, see Migrate the SSL configuration to the enhanced SSL profile.

To enable dynamic client certificate generation using CLI

Enable the feature on the SSL profile bound to the backend service.

At the command prompt, type:

set ssl profile <backend_profile_name> -dynamicClientCert ENABLED
Create a certificate key for the CA used to sign the generated dynamic client certificate.

At the command prompt, type:

add ssl certkey <certkey_name> -cert <cert_file> -key <key_file>
Bind the certificate key to the backend profile where the Dynamic Client Certificate Generation feature is enabled.

At the command prompt, type:

bind ssl profile <backend_profile_name> --certkeyName <certkey_name> -forgingCACertkey

Notes:

If the client certificate is configured as optional in the front end profile and the peer does not provide a certificate, NetScaler intentionally fails the handshake with the backend server.

The Dynamic Client Certificate Generation feature works seamlessly with NetScaler SSL Orchestrator in the reverse proxy deployment. For more information, see ICAP for remote content inspection.

Limitations

The dynamic client certificate generation feature is not supported in the following scenarios:

DTLS
Admin partition environments

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Dynamic client certificate generation

December 8, 2025

Contributed by:

December 8, 2025

Contributed by:

Dynamic client certificate generation

How it works

Enable dynamic client certificate generation

Prerequisites

To enable dynamic client certificate generation using CLI

Limitations

In this article