The following error is displayed when opening applications through NetScaler Gateway when NetScaler enforces client certificates and TLS_1.2:
SSL Error 27: No local security certificates could be loaded.

In order to resolve the issue, use "Microsoft Enhanced RSA and AES Cryptographic Provider" for all certificates issued to clients/users where TLS_1.2 is enforced by the NetScaler.

The following are the two ways to achieve this:

• The first is to use OpenSSL to change the client certificate's provider name to "Microsoft Enhanced RSA and AES Cryptographic Provider".  However, this would need be done for every client certificate.
• The second (and more efficient method) is to reissue the client certificate, ensuring that the issuing CA uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" in the template providing the certificate.

Problem Cause

Be aware that this is not a Citrix issue. The issue is caused by using a CSP that is not compatible with TLS_1.2. These CSP do not support the SHA256 algorithm required for TLS_1.2 Certificate Verify message.  This is why you see the empty signature in the returning "Certificate Verify" message (RCVR => NetScaler) in the WireShark traces: