Troubleshooting

Joint Server Certificate Validation Policy

Citrix Workspace app for Android has a stricter validation policy for server certificates.

Important

Before installing this version of Citrix Workspace app for Android, confirm that the certificates at the server or Citrix Gateway are correctly configured as described here. Connections might fail if:

  • the server or Citrix Gateway configuration includes a wrong root certificate.
  • the server or Citrix Gateway configuration does not include all intermediate certificates.
  • the server or Citrix Gateway configuration includes an expired or otherwise invalid intermediate certificate.
  • the server or Citrix Gateway configuration includes a cross-signed intermediate certificate.

When validating a server certificate, Citrix Workspace app for Android uses all the certificates supplied by the server (or Citrix Gateway) when validating the server certificate. It then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or Citrix Gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app for Android connection to fail.

Suppose that a Citrix Gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app for Android:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Example Root Certificate”

Then, Citrix Workspace app for Android checks that all these certificates are valid. Citrix Workspace app for Android also checks that it already trusts “Example Root Certificate”. If Citrix Workspace app for Android does not trust “Example Root Certificate,” the connection fails.

Important

Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root,” and “DigiCert Baltimore Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Android connections on those user devices will fail. Consult the certificate authority’s documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.

Note

Some servers and Citrix Gateway never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose that a gateway is configured by using these valid certificates. This configuration, omitting the root certificate, is normally recommended:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”

Then, Citrix Workspace app for Android uses these two certificates. It will then search for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example Root Certificate”), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app for Android needs, but also allows Citrix Workspace app for Android to choose any valid, trusted, root certificate.

Now suppose that a Citrix Gateway is configured by using these certificates:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Wrong Root Certificate”

Citrix Workspace app for Android reads the wrong root certificate, and the connection fails.

Some certificate authorities use more than one intermediate certificate. In this case, the Citrix Gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • “Example Server Certificate”
  • “Example Intermediate Certificate 1”
  • “Example Intermediate Certificate 2”

Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5.”However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.

The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To), but the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”

Avoid configuring the Citrix Gateway to use the cross-signed intermediate certificate, because it selects the earlier root certificate:

  • “Example Server Certificate”
  • “Example Intermediate Certificate”
  • “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the Citrix Gateway by using only the server certificate:

  • “Example Server Certificate”

In this case, when Citrix Workspace app for Android cannot locate all the intermediate certificates, the connection fails.

Troubleshooting