Citrix Gateway certificate pinning with Android Citrix SSO

Certificate pinning helps in preventing man-in-the-middle attacks. Citrix SSO supports certificate pinning only for managed VPN configurations in Android Enterprise mode and legacy device administrator mode. It is not supported for VPN profiles added by end user.

Configure Citrix Gateway certificate pinning with Android Citrix SSO

For details on certificate pinning in the managed configuration (formerly app restrictions) for Citrix SSO, see Certificates and authentication.

A new key-value pair is defined to carry the pinned Citrix Gateway certificate hashes as follows.

Key: ServerCertificatePins
Value: {
  "hash-alg": "sha256",
  "pinset": [
    "cert1_base64_encoded_SHA-256_hash_of_the_X509_SubjectPublicKeyInfo(SPKI)",
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
    ...
  ]
}

The key for specifying certificate pinning details in the managed configuration is ServerCertificatePins. The value is a JSON payload carrying the base64 encoded SHA-256 hashes of the pinned Citrix Gateway certificate and the hashing algorithm used. The pinned certificate can be any of the certificates in the chain of trust validated by the operating system. In this case, it is Android.

The certificate pinning is done only after the operating system has validated the certificate chain during TLS handshake. The pin of the certificate is computed by hashing the certificate’s subject public key information (SPKI). Both the fields (“hash-alg” and “pinset”) must be specified in the JSON payload.

The “hash-alg” specifies the hashing algorithm used to compute the SPKI hash. The “pinset” specifies the JSON array containing base64 encoded SHA-256 hash of the Citrix Gateway certificate’s SPKI data. At least one value must be specified for the certificate pin. More pin values can be specified to allow for certificate rotation or expiry.

You can compute the value for the pin for a domain (for example, gw.yourdomain.com) by using the following openssl command.

openssl s_client -servername gw.yourdomain.com -connect gw.yourdomain.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

The command displays the base64 encoded SHA-256 hash of the leaf certificate presented by a gateway. Any certificate in the chain can be used for certificate pinning. For example, if an enterprise is using their own intermediate CA for generating certificates for multiple gateways, pin corresponding to the intermediate signing certificate can be used. If none of the pins match the certificates in the validated certificate chain, the TLS handshake is aborted and connection to the gateway does not proceed.

Note: In device administrator mode, certificate pinning is supported only with Citrix Endpoint Management and Microsoft Endpoint Management solutions. Certificate pinning must be configured in the custom parameters used in the legacy VPN profile (not managed configuration) with the custom parameter ServerCertificatePins with the same JSON payload for pinning.

Citrix Gateway certificate pinning with Android Citrix SSO