To use the derived credentials feature, you must create a virtual smart card to use when you log in to a server and connect to a remote desktop. One virtual smart card can hold multiple certificates.


  • Verify that the client device, remote desktops, RDS hosts, Connection Server host, and other Horizon components meet the smart card authentication requirements. See Smart Card Authentication Requirements.
  • Import a certificate. You can use a third-party application, such as Purebred, to deliver the certificate to the client device. For an Android device, you can copy a certificate file to the Android device and then import it into the Android system settings.
  • For an Android device, verify that the device has a passcode. A passcode is not required to create a virtual smart card on a Chromebook.


  1. Tap the Settings (gear) icon in the upper-right corner of the Horizon Client window.
  2. Tap Derived Credentials and then tap Create new virtual smart card.
  3. (Android device only) Perform device authentication.
  4. Enter and confirm a PIN for the virtual smart card.
  5. Tap Continue to import derived credentials and import the derived credential.
    1. Tap PIV Authentication Certificate.
    2. Select a certificate.
    3. Tap Select.
  6. (Optional) To import a digital signature certificate or encryption certificate after you import the PIV authentication certificate, tap Digital Signature Certificate or Encryption Certificate and follow the prompts.
  7. To create the virtual smart card, tap Done.
    The derived credential appears in the Settings window. The Use Derived Credentials setting is set to on.
  8. To create another virtual smart card for a different Horizon environment, tap Create new virtual smartcard and repeat these steps.

What to do next

Pair a Virtual Smart Card with Smart Card Middleware.