ICA file signing to protect against application or desktop launches from untrusted servers

The ICA file signing helps protect you from an unauthorized application or desktop launch. Citrix Receiver for Windows verifies that a trusted source generated the application or desktop launch based on an administrative policy and protects against the launch from untrusted servers. You can configure ICA file signing using the Group policy objects administrative template, StoreFront, or Citrix Merchandising Server. ICA file signing is not enabled by default. For information about enabling ICA file signing for StoreFront, refer to the StoreFront documentation.

For Web Interface deployment, the Web Interface enables and configures the application or desktop launch to include a signature during the launch using the Citrix ICA file signing service. The service can sign the ICA file using a certificate from the computer’s personal certificate store.

The Citrix merchandising server with Citrix Receiver for Windows enables and configures the launch signature verification using the Citrix Merchandising Server Administrator Console > Deliveries wizard to add trusted certificate thumbprints.

Configure ICA file signing using Group Policy Object administrative template


If the CitrixBase.admx\adml is not added to the local GPO, the Enable ICA File Signing policy might not be present.

  1. Open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components.
  3. Select Enable ICA File Signing policy and select one of the options as required:
    1. Enabled - Indicates that you can add the signing certificate thumbprint to the whitelist of trusted certificate thumbprints.
    2. Trust Certificates - Click Show to remove the existing signing certificate thumbprint from the whitelist. You can copy and paste the signing certificate thumbprints from the signing certificate properties.
    3. Security policy - Select one of the following options from the drop-down menu.
      1. Only allow signed launches (more secure): Allows only signed-application or desktop launch from a trusted server. A security warning appears in case of an invalid signature. You cannot launch the session due to non-authorization.
      2. Prompt user on unsigned launches (less secure) - A message prompt appears when an unsigned or invalidly-signed session is launched. You can choose to either continue the launch or cancel the launch (default).
  4. Click Apply and OK to save the policy.

To select and distribute a digital signature certificate

When selecting a digital signature certificate, Citrix recommends you choose from this prioritized list:

  1. Buy a code-signing certificate or SSL signing certificate from a public Certificate Authority (CA).
  2. If your enterprise has a private CA, create a code-signing certificate or SSL signing certificate using the private CA.
  3. Use an existing SSL certificate, such as the Web Interface server certificate.
  4. Create a new root CA certificate and distribute it to user devices using GPO or manual installation.