Enable certificate revocation list checking for improved security

When certificate revocation list (CRL) checking is enabled, Citrix Receiver checks whether or not the server’s certificate is revoked. By forcing Citrix Receiver to check this, you can improve the cryptographic authentication of the server and the overall security of the TLS connection between a user device and a server.

You can enable several levels of CRL checking. For example, you can configure Citrix Receiver to check only its local certificate list or to check the local and network certificate lists. In addition, you can configure certificate checking to allow users to log on only if all CRLs are verified.

If you are making this change on a local computer, exit Citrix Receiver if it is running. Make sure all Citrix Receiver components, including the Connection Center, are closed.

  1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying policies to a single computer or by using the Group Policy Management Console when applying domain policies. Note: If you already imported the Citrix Receiver for Windows template into the Group Policy Editor, you can omit Steps 2 to 5.
  2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
  3. From the Action menu, choose Add/Remove Templates.
  4. Choose Add and browse to the Configuration folder for the Receiver (usually C:\Program Files\Citrix\ICA Client\Configuration) and select the Citrix Receiver for Windows template file.
    Note: Depending on the version of the Windows operating system, select the Citrix Receiver for Windows template file (receiver.adm or receiver.admx/receiver.adml).
  5. Select Open to add the template and then Close to return to the Group Policy Editor.
  6. In the Group Policy Editor, go to Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > Network routing > TLS/SSL data encryption and server identification.
  7. From the Action menu, choose Properties and select Enabled.
  8. From the CRL verification drop-down menu, select one of the options.
    • Disabled. No certificate revocation list checking is performed.
    • Only check locally stored CRLs. CRLs that were installed or downloaded previously are used in certificate validation. Connection fails if the certificate is revoked.
    • Require CRLs for connection. CRLs locally and from relevant certificate issuers on the network are checked. Connection fails if the certificate is revoked or not found.
    • Retrieve CRLs from network. CRLs from the relevant certificate issuers are checked. Connection fails if the certificate is revoked. If you do not set CRL verification, it defaults to Only check locally stored CRLs.

Enable certificate revocation list checking for improved security

In this article