To use the derived credentials feature, you must create a virtual smart card to use when you log in to a server and connect to a remote desktop. One virtual smart card can hold multiple certificates.

Prerequisites

  • Verify that the client device, remote desktops, RDS hosts, Connection Server host, and other Horizon components meet the smart card authentication requirements. See Smart Card Authentication Requirements.
  • Import a certificate. You can use VMware Workspace ONE PIV-D Manager, or a third-party mobile app such as Purebred, to issue the certificate to the client device. Note that the credential must be exported to the Android system key storage to be accessible to the Horizon client. Export could be direct from the app, or indirect from a device administrator app such as VMware Workspace ONE Intelligent Hub. For an Android device, you can copy a certificate file to the Android device and then import it into the Android system settings.

    If the certificate isn’t exported, the end user must manually import it. For more information, see Workspace ONE PIV-D Manager and Workspace ONE Intelligent Hub.

  • For an Android device, verify that the device has a passcode. A passcode is not required to create a virtual smart card on a Chromebook.

Procedure

  1. Tap the Settings (gear) icon in the upper-right corner of the Horizon Client window.
  2. Tap Derived Credentials and then tap Create new virtual smart card.
  3. (Android device only) Perform device authentication.
  4. Enter and confirm a PIN for the virtual smart card.
  5. Tap Continue to import derived credentials and import the derived credential.
    1. Tap PIV Authentication Certificate.
    2. Select a certificate.
    3. Tap Select.
  6. (Optional) To import a digital signature certificate or encryption certificate after you import the PIV authentication certificate, tap Digital Signature Certificate or Encryption Certificate and follow the prompts.
  7. To create the virtual smart card, tap Done.
    The derived credential appears in the Settings window. The Use Derived Credentials setting is set to on.
  8. To create another virtual smart card for a different Horizon environment, tap Create new virtual smartcard and repeat these steps.

What to do next

Pair a Virtual Smart Card with Smart Card Middleware.