Connections and Certificates

Connections

Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:

    • StoreFront using StoreFront services or Citrix Workspace app for Web sites
    • Web Interface 5.4 for Windows, using Web Interface or Citrix Virtual Apps Services sites
  • For secure remote or local connections:

    • Citrix Gateway 12.0
    • Netscalar Gateway 10.1 and later
    • Netscalar Access Gateway Enterprise Edition 10
    • Netscalar Access Gateway Enterprise Edition 9.x
    • Netscalar Access Gateway VPX

    For information about the Citrix Gateway versions supported by StoreFront, see System requirements of StoreFront.

About secure connections and certificates

Note:

For additional information about security certificates, see Secure communications.

Certificates

To ensure secure transactions between server and client, use the following certificates:

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device to access Citrix resources using Citrix Workspace app.

Note:

If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local key store), an untrusted certificate warning appears. If a user chooses to continue through the warning, the apps are displayed but cannot be launched. The root certificate must be installed in the client’s certificate store.

Root certificates on user devices

For domain-joined computers, you can use Group Policy Object administrative template to distribute and trust CA certificates.

For non-domain joined computers, the organization can create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app for Linux supports wildcard certificates, however they should only be used in accordance with your organization’s security policy. In practice, alternatives to wildcard certificates, such as a certificate containing the list of server names within the Subject Alternative Name (SAN) extension, could be considered. Such certificates can be issued by both private and public certificate authorities.

Intermediate certificates and the Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates from Citrix Gateway.

Joint Server Certificate Validation Policy

Citrix Workspace app for Linux has a stricter validation policy for server certificates.

Important:

Before installing this version of Citrix Workspace app for Linux, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app for Linux now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app for Linux releases, it then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app for Linux’s connection to fail.

Suppose that a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app for Linux:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Example Root Certificate”

Then, Citrix Workspace app for Linux checks that all these certificates are valid. Citrix Workspace app for Linux also checks that it already trusts “Example Root Certificate.” If Citrix Workspace app for Linux does not trust “Example Root Certificate,” the connection fails.

Important:

  • Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root,” and “DigiCert Baltimore Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Linux connections on those user devices will fail. Consult the certificate authority’s documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.
  • Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose that a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

Then, Citrix Workspace app for Linux uses these two certificates. It then searches for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example Root Certificate”), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app for Linux needs, but also allows Citrix Workspace app for Linux to choose any valid, trusted, root certificate.

Now suppose that a gateway is configured with these certificates:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Wrong Root Certificate”

A web browser may ignore the wrong root certificate. However, Citrix Workspace app for Linux will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • “Example Server Certificate”

  • “Example Intermediate Certificate 1”

  • “Example Intermediate Certificate 2”

Important:

  • Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5.” However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.
  • The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it selects the earlier root certificate:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

  • “Example Server Certificate”

In this case, if Citrix Workspace app for Linux cannot locate all the intermediate certificates, the connection fails.

Connections and Certificates

In this article