Prerequisites to install Citrix Workspace app

System requirements and compatibility

See the following list for system requirements:

Image of System Requirements for Hardware Image of System Requirements for Libraries Image of System Requirements for Components 1 Image of System Requirements for Components 2 Image of System Requirements for Components 3

Compatibility matrix

Citrix Workspace app for Linux is compatible with all currently supported versions of the Citrix products. For information about the Citrix product lifecycle, and to find out when Citrix stops supporting specific versions of products, see the Citrix Product Lifecycle Matrix.

Server requirements

StoreFront

You can use Citrix Workspace app for Linux 1808 and later browser-based access with StoreFront Citrix Workspace app for Web and Web Interface, with - or without - the Citrix Gateway plug-in.

StoreFront:

  • StoreFront 3.x, 2.6, 2.5 and 2.1

    Provides direct access to StoreFront stores.

  • StoreFront configured with Workspace for Web

    Provides access to StoreFront stores from a web browser. For the limitations of this deployment, see “Important considerations” in Citrix Receiver for Web sites.

Web Interface

Web Interface with the NetScaler VPN client:

  • Web Interface 5.4 for Windows web sites.

    Provides access to virtual desktops and apps from a web browser.

  • Web Interface 5.4 for Linux with XenApp services or Citrix Virtual Desktops services sites

Connections and Certificates

Connections

Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.

  • For LAN connections:

    • StoreFront using StoreFront services or Workspace for Web
    • Web Interface 5.4 for Windows, using Web Interface or XenApp services
  • For secure remote or local connections:

    • Citrix Gateway 12.0
    • Netscaler Gateway 10.1 and later
    • Netscaler Access Gateway Enterprise Edition 10
    • Netscaler Access Gateway Enterprise Edition 9.x
    • Netscaler Access Gateway VPX

    For information about the Citrix Gateway versions supported by StoreFront, see System requirements of StoreFront.

Certificates

To ensure secure transactions between server and client, use the following certificates:

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device to access Citrix resources using Citrix Workspace app.

Note:

If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local key store), an untrusted certificate warning appears. If a user chooses to continue through the warning, the apps are displayed but cannot be launched. The root certificate must be installed in the client’s certificate store.

Root certificates

For domain-joined machines, you can use Group Policy Object administrative template to distribute and trust CA certificates.

For non-domain joined machines, the organization can create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.

Install root certificates on user devices

To use TLS, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate. By default, Citrix Workspace app supports the following certificates.

Certificate Issuing Authority
Class4PCA_G2_v2.pem VeriSign Trust Network
Class3PCA_G2_v2.pem VeriSign Trust Network
BTCTRoot.pem Baltimore Cyber Trust Root
GTECTGlobalRoot.pem GTE Cyber Trust Global Root
Pcs3ss_v4.pem Class 3 Public Primary Certification Authority
GeoTrust_Global_CA.pem GeoTrust
DigiCertGlobalRootCA.pem DigiCert Global Root CA

You are not required to obtain and install root certificates on the user device to use the certificates from these Certificate Authorities. However, if you choose to use a different Certificate Authority, you must obtain and install a root certificate from the Certificate Authority on each user device.

Citrix Workspace app for Linux supports RSA keys of 1024, 2048, and 3072-bit lengths. Root certificates with RSA keys of 4096-bit length are also supported.

Note:

Citrix Workspace app for Linux 1808 and above uses the ctx_rehash tool as described in the following steps.

If you authenticate a server certificate that was issued by a certificate authority and is not yet trusted by the user device, follow these instructions before adding a StoreFront store:

  1. Obtain the root certificate in PEM format. Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.
  2. As the user who installed the package (usually root):
    1. Copy the file to $ICAROOT/keystore/cacerts.

    2. Run the following command:

      $ICAROOT/util/ctx_rehash

Wildcard certificates

Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app for Linux supports wildcard certificates, however they should only be used in accordance with your organization’s security policy. In practice, alternatives to wildcard certificates, such as a certificate containing the list of server names within the Subject Alternative Name (SAN) extension, could be considered. Such certificates can be issued by both private and public certificate authorities.

Intermediate certificates and the Citrix Gateway

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates in Citrix Gateway documentation.

If your StoreFront server is not able to provide the intermediate certificates that match the certificate it is using, or you install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store:

  1. Obtain one or more intermediate certificates separately in PEM format.

    Tip:

    If you cannot find a certificate in PEM format, use the openssl utility to convert a certificate in CRT format to a .pem file.

  2. As the user install the package (usually root):

    1. Copy one or more files to $ICAROOT/keystore/intcerts.

    2. Run the following command as the user who installed the package:

      $ICAROOT/util/ctx_rehash

Joint Server Certificate Validation Policy

Citrix Workspace app for Linux has a stricter validation policy for server certificates.

Important:

Before installing Citrix Workspace app for Linux, confirm that the certificates at the server or gateway are correctly configured as described here. Connections may fail if:

  • the server or gateway configuration includes a wrong root certificate
  • the server or gateway configuration does not include all intermediate certificates
  • the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
  • the server or gateway configuration includes a cross-signed intermediate certificate

When validating a server certificate, Citrix Workspace app for Linux now uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app for Linux releases, it then also checks that the certificates are trusted. If the certificates are not all trusted, the connection fails.

This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.

The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause Citrix Workspace app for Linux’s connection to fail.

Suppose that a gateway is configured with these valid certificates. This configuration is recommended for customers who require stricter validation, by determining exactly which root certificate is used by Citrix Workspace app for Linux:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Example Root Certificate”

Then, Citrix Workspace app for Linux checks that all these certificates are valid. Citrix Workspace app for Linux also checks that it already trusts “Example Root Certificate.” If Citrix Workspace app for Linux does not trust “Example Root Certificate,” the connection fails.

Important:

  • Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root,” and “DigiCert Baltimore Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (“DigiCert Baltimore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the gateway, Citrix Workspace app for Linux connections on those user devices will fail. Consult the certificate authority’s documentation to determine which root certificate should be used. Also note that root certificates eventually expire, as do all certificates.
  • Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.

Now suppose that a gateway is configured with these valid certificates. This configuration, omitting the root certificate, is normally recommended:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

Then, Citrix Workspace app for Linux uses these two certificates. It then searches for a root certificate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example Root Certificate”), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app for Linux needs, but also allows Citrix Workspace app for Linux to choose any valid, trusted, root certificate.

Now suppose that a gateway is configured with these certificates:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Wrong Root Certificate”

A web browser may ignore the wrong root certificate. However, Citrix Workspace app for Linux will not ignore the wrong root certificate, and the connection will fail.

Some certificate authorities use more than one intermediate certificate. In this case, the gateway is normally configured with all the intermediate certificates (but not the root certificate) such as:

  • “Example Server Certificate”

  • “Example Intermediate Certificate 1”

  • “Example Intermediate Certificate 2”

Important:

  • Some certificate authorities use a cross-signed intermediate certificate. This is intended for situations there is more than one root certificate, and an earlier root certificate is still in use at the same time as a later root certificate. In this case, there will be at least two intermediate certificates. For example, the earlier root certificate “Class 3 Public Primary Certification Authority” has the corresponding cross-signed intermediate certificate “VeriSign Class 3 Public Primary Certification Authority - G5.” However, a corresponding later root certificate “VeriSign Class 3 Public Primary Certification Authority - G5” is also available, which replaces “Class 3 Public Primary Certification Authority.” The later root certificate does not use a cross-signed intermediate certificate.
  • The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such “Example Intermediate Certificate 2”).

This configuration, omitting the root certificate and the cross-signed intermediate certificate, is normally recommended:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

Avoid configuring the gateway to use the cross-signed intermediate certificate, as it selects the earlier root certificate:

  • “Example Server Certificate”

  • “Example Intermediate Certificate”

  • “Example Cross-signed Intermediate Certificate” [not recommended]

It is not recommended to configure the gateway with only the server certificate:

  • “Example Server Certificate”

In this case, if Citrix Workspace app for Linux cannot locate all the intermediate certificates, the connection fails.

Prerequisites to install Citrix Workspace app