Product Documentation

Enable ICA file signing

Jan 12, 2015

StoreFront provides the option to digitally sign ICA files so that versions of Citrix Receiver that support this feature can verify that the file originates from a trusted source. When file signing is enabled in StoreFront, the ICA file generated when a user starts an application is signed using a certificate from the personal certificate store of the StoreFront server. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server. The digital signature is ignored by clients that do not support the feature or are not configured for ICA file signing. If the signing process fails, the ICA file is generated without a digital signature and sent to Citrix Receiver, the configuration of which determines whether the unsigned file is accepted.

To be used for ICA file signing with StoreFront, certificates must include the private key and be within the allowed validity period. If the certificate contains a key usage extension, this must allow the key to be used for digital signatures. Where an extended key usage extension is included, it must be set to code signing or server authentication.

For ICA file signing, Citrix recommends using a code signing or SSL signing certificate obtained from a public certification authority or from your organization's private certification authority. If you are unable to obtain a suitable certificate from a certification authority, you can either use an existing SSL certificate, such as a server certificate, or create a new root certification authority certificate and distribute it to users' devices.

ICA file signing is disabled by default in stores. To enable ICA file signing, you edit the store configuration file and execute Windows PowerShell commands. For more information about enabling ICA file signing in Citrix Receiver, see ICA File Signing to protect against application or desktop launches from untrusted servers.

Note: The StoreFront and PowerShell consoles cannot be open at the same time. Always close the StoreFront admin console before using the PowerShell console to administer your StoreFront configuration. Likewise, close all instances of PowerShell before opening the StoreFront console.
Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. Ensure that the certificate you want to use to sign ICA files is available in the Citrix Delivery Services certificate store on the StoreFront server and not the current user's certificate store.
  2. Use a text editor to open the web.config file for the store, which is typically located in the C:\inetpub\wwwroot\Citrix\storename\ directory, where storename is the name specified for the store when it was created.
  3. Locate the following section in the file.
    <certificateManager> 
      <certificates> 
        <clear /> 
        <add ... /> 
        ... 
      </certificates> 
    </certificateManager> 
    
  4. Include details of the certificate to be used for signing as shown below.
    <certificateManager> 
      <certificates> 
        <clear /> 
        <add id="certificateid" thumb="certificatethumbprint" /> 
        <add ... /> 
        ... 
      </certificates> 
    </certificateManager> 
    

    Where certificateid is a value that helps you to identify the certificate in the store configuration file and certificatethumbprint is the digest (or thumbprint) of the certificate data produced by the hash algorithm.

  5. Locate the following element in the file.
    <icaFileSigning enabled="False" certificateId="" hashAlgorithm="sha1" /> 
    
  6. Change the value of the enabled attribute to True to enable ICA file signing for the store. Set the value of the certificateId attribute to the ID you used to identify the certificate, that is, certificateid in Step 4.
  7. If you want to use a hash algorithm other than SHA-1, set the value of the hashAgorithm attribute to sha256, sha384, or sha512, as required.
  8. Using an account with local administrator permissions, start Windows PowerShell and, at a command prompt, type the following commands to enable the store to access the private key.
    Add-PSSnapin Citrix.DeliveryServices.Framework.Commands 
      $certificate = Get-DSCertificate "certificatethumbprint" 
     
    Add-DSCertificateKeyReadAccess -certificate $certificates[0] -accountName “IIS APPPOOL\Citrix Delivery Services Resources” 
    

    Where certificatethumbprint is the digest of the certificate data produced by the hash algorithm.