- StoreFront 1811 and later.
- StoreFront 3.12.
Connections and certificates
Connections
Citrix Workspace app for Linux supports HTTPS and ICA-over-TLS connections through any one of the following configurations.
- For LAN connections:
- StoreFront using StoreFront services or workspace for web
- Citrix Gateway 12.0 and later
- NetScaler Gateway 10.1 and later
- NetScaler Access Gateway Enterprise Edition 10
- Netscaler Access Gateway Enterprise Edition 9.x
- Netscaler Access Gateway VPX
For information about the Citrix Gateway versions supported by StoreFront, see System requirements of StoreFront.
Certificates
To ensure secure transactions between server and client, use the following certificates:
Private (self-signed) certificates
If a private certificate is installed on the remote gateway, the root certificate for the organization’s certificate authority must be installed on the user device. This installation helps to access Citrix resources using Citrix Workspace app.
Note:
An untrusted certificate warning appears, if the remote gateway’s certificate can’t be verified upon connection. This verification might fail since the root certificate isn’t included in the local key store. If you choose to continue through the warning, the apps are displayed but can’t be launched. The root certificate must be installed in the client’s certificate store.
Root certificates
For domain-joined machines, use the Group Policy Object administrative template to distribute and trust CA certificates.
For non-domain joined machines, create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.
Install root certificates on user devices
To use TLS, you need a root certificate on the user device that can verify the signature of the Certificate Authority on the server certificate. By default, Citrix Workspace app supports the following certificates.
Certificate Issuing Authority Class4PCA_G2_v2.pem Verisign Trust Network Class3PCA_G2_v2.pem Verisign Trust Network BTCTRoot.pem Baltimore Cyber Trust Root GTECTGlobalRoot.pem GTE Cyber Trust Global Root Pcs3ss_v4.pem Class 3 Public Primary Certification Authority GeoTrust_Global_CA.pem GeoTrust DigiCertGlobalRootCA.pem DigiCert Global Root CA Wildcard certificates
Wildcard certificates are used in place of individual server certificates for any server within the same domain. Citrix Workspace app supports wildcard certificates, however they must only be used following your organization’s security policy.
Alternatives to wildcard certificates, such as a certificate that includes the list of server names within the Subject Alternative Name (SAN) extension, can be considered. Both private and public certificate authorities issue such certificates.
Append intermediate certificate to Citrix Gateway
If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates in the Citrix Gateway documentation.
If your StoreFront server fails to provide the intermediate certificates that match the certificate it’s using, or you install intermediate certificates to support smart card users, follow these steps before adding a StoreFront store:
-
Get one or more intermediate certificates separately in PEM format.
Tip: If you can’t find a certificate in the .pem file extension, use the openssl utility to convert a certificate to the .pem file extension.
- Copy one or more files to $ICAROOT/keystore/intcerts.
- Run the following command after you installed the package: $ICAROOT/util/ctx_rehash
Joint server certificate validation policy
Citrix Workspace app has a stricter validation policy for server certificates.
- the server or gateway configuration includes a wrong root certificate
- the server or gateway configuration does not include all intermediate certificates
- the server or gateway configuration includes an expired or otherwise invalid intermediate certificate
- the server or gateway configuration includes a cross-signed intermediate certificate
When validating a server certificate, Citrix Workspace app uses all the certificates supplied by the server (or gateway) when validating the server certificate. As in previous Citrix Workspace app versions, it verifies that the certificates are trusted. If any certificate is untrusted, the connection fails.
This policy is stricter than the certificate policy in web browsers. Many web browsers include a large set of root certificates that they trust.
The server (or gateway) must be configured with the correct set of certificates. An incorrect set of certificates might cause the Citrix Workspace app connection to fail.
If a gateway is configured with these valid certificates, use the following configuration for stricter validation. This configuration determines exactly which root certificate the Citrix Workspace app uses:
- Example Server Certificate
- Example Intermediate Certificate
- Example Root Certificate
Citrix Workspace app verifies all these certificates are valid. Citrix Workspace app also verifies that it already trusts the Example Root Certificate. If Citrix Workspace app does not trust the Example Root Certificate, the connection fails.
- Some certificate authorities have more than one root certificate. If you require this stricter validation, make sure that your configuration uses the appropriate root certificate. For example, there are currently two certificates (DigiCert/GTE CyberTrust Global Root and DigiCert Baltimore Root/Baltimore CyberTrust Root) that can validate the same server certificates. On some user devices, both root certificates are available. On other devices, only one is available (DigiCert Baltimore Root/Baltimore CyberTrust Root).
- If you configure the GTE CyberTrust Global Root certificate at the gateway, Citrix Workspace app connections on those user devices fail. Consult the certificate authority’s documentation to determine which root certificate must be used. Also note that root certificates eventually expire, as do all certificates.
- Some servers and gateways never send the root certificate, even if configured. Stricter validation is then not possible.
If a gateway is configured with these valid certificates, we can use the following configuration, leaving out the root certificate:
- Example Server Certificate
- Example Intermediate Certificate
Citrix Workspace app uses these two certificates. It searches for a root certificate on the user device. If Citrix Workspace app finds a root certificate that validates correctly, and is also trusted (such as Example Root Certificate), the connection succeeds. Otherwise, the connection fails. This configuration supplies the intermediate certificate that Citrix Workspace app needs, but also allows Citrix Workspace app to choose any valid, trusted, root certificate.
If a gateway is configured with these certificates:
- Example Server Certificate
- Example Intermediate Certificate
- Wrong Root Certificate
A web browser might ignore the wrong root certificate. However, Citrix Workspace app does not ignore the wrong root certificate, and the connection fails.
Some certificate authorities use more than one intermediate certificate. In this case, the gateway is configured with all the intermediate certificates (but not the root certificate) such as:
- Example Server Certificate
- Example Intermediate Certificate 1
- Example Intermediate Certificate 2
- Some certificate authorities use a cross-signed intermediate certificate. This certificate is used where there’s more than one root certificate, and an earlier root certificate is still in use as a later root certificate. In this case, there are at least two intermediate certificates. For example, the earlier root certificate Class 3 Public Primary Certification Authority has the corresponding cross-signed intermediate certificate Verisign Class 3 Public Primary Certification Authority - G5. However, a corresponding later root certificate Verisign Class 3 Public Primary Certification Authority - G5 is also available, which replaces the Class 3 Public Primary Certification Authority. The later root certificate does not use a cross-signed intermediate certificate.
- The cross-signed intermediate certificate and the root certificate have the same Subject name (Issued To). But the cross-signed intermediate certificate has a different Issuer name (Issued By). This difference distinguishes the cross-signed intermediate certificate from an ordinary intermediate certificate (such as Example Intermediate Certificate 2).
This configuration, leaving out the root certificate and the cross-signed intermediate certificate, is recommended:
- Example Server Certificate
- Example Intermediate Certificate
Avoid configuring the gateway to use the cross-signed intermediate certificate, because it selects the earlier root certificate:
- Example Server Certificate
- Example Intermediate Certificate
- Example Cross-signed Intermediate Certificate [not recommended]
It isn’t recommended to configure the gateway with only the server certificate:
- Example Server Certificate
In this case, if Citrix Workspace app can’t locate all the intermediate certificates, the connection fails.
Supports system certificate paths for SSL connection
Previously, Citrix Workspace app supported only the opt/Citrix/ICAClient/keystore path as system certificate path. This path was a hardcode path to store Citrix predefined certificates. However, sometimes, certificate authority (CA) certificates are placed in the system certificates path in different linux distributions. To add these system certificate paths, customers had to make a soft link and replace /opt/Citrix/ICAClient/keystore .
With this release, Citrix Workspace app supports multiple system certificate paths. The following are the default system certificate paths supported for SSL connection:
"/var/lib/ca-certificates", "/etc/ssl/certs", "/system/etc/security/cacerts", "/usr/local/share/cert", "/etc/pki/tls/certs", "/etc/openssl/certs", "/var/ssl/certs", ICAROOT() + "/keystore/cacerts"
In addition to the default system certified path, you can also add your own certified path by adding the Certpath field in the AuthManConfig.xml file as follows:
This feature simplifies the certificate management process on the client side and improves the user experience. Citrix Workspace app for Linux supports multiple system certificate paths for SSL connection. This feature eliminates the need to create a soft link.
Workspacecheck
We provide a script, workspacecheck.sh , as part of the Citrix Workspace app installation package. The script checks whether your device meets all the system requirements in support of the functionalities of Citrix Workspace app. The script is in the Utilities directory of the installation package.
To run the workspacecheck.sh script
- Open the terminal in your Linux machine.
- Type cd $ICAROOT/util and press Enter to navigate to the Utilities directory of the installation package.
- Type ./workspacecheck.sh to run the script.
Out-of-support applications and operating systems
Citrix does not offer support in the context of applications and operating systems that are no longer supported by their vendors.
While attempting to address and resolve a reported issue, Citrix assesses whether the issue directly relates to an out-of-support application or operating system. To help in making that determination, Citrix might ask you to attempt to reproduce an issue using the supported version of the application or operating system. If the issue seems to be related to the out-of-support application or operating system, Citrix will not investigate the issue further.
The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.
DIESER DIENST KANN ÜBERSETZUNGEN ENTHALTEN, DIE VON GOOGLE BEREITGESTELLT WERDEN. GOOGLE LEHNT JEDE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG IN BEZUG AUF DIE ÜBERSETZUNGEN AB, EINSCHLIESSLICH JEGLICHER GEWÄHRLEISTUNG DER GENAUIGKEIT, ZUVERLÄSSIGKEIT UND JEGLICHER STILLSCHWEIGENDEN GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER.
CE SERVICE PEUT CONTENIR DES TRADUCTIONS FOURNIES PAR GOOGLE. GOOGLE EXCLUT TOUTE GARANTIE RELATIVE AUX TRADUCTIONS, EXPRESSE OU IMPLICITE, Y COMPRIS TOUTE GARANTIE D'EXACTITUDE, DE FIABILITÉ ET TOUTE GARANTIE IMPLICITE DE QUALITÉ MARCHANDE, D'ADÉQUATION À UN USAGE PARTICULIER ET D'ABSENCE DE CONTREFAÇON.
ESTE SERVICIO PUEDE CONTENER TRADUCCIONES CON TECNOLOGÍA DE GOOGLE. GOOGLE RENUNCIA A TODAS LAS GARANTÍAS RELACIONADAS CON LAS TRADUCCIONES, TANTO IMPLÍCITAS COMO EXPLÍCITAS, INCLUIDAS LAS GARANTÍAS DE EXACTITUD, FIABILIDAD Y OTRAS GARANTÍAS IMPLÍCITAS DE COMERCIABILIDAD, IDONEIDAD PARA UN FIN EN PARTICULAR Y AUSENCIA DE INFRACCIÓN DE DERECHOS.
本服务可能包含由 Google 提供技术支持的翻译。Google 对这些翻译内容不做任何明示或暗示的保证,包括对准确性、可靠性的任何保证以及对适销性、特定用途的适用性和非侵权性的任何暗示保证。このサービスには、Google が提供する翻訳が含まれている可能性があります。Google は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません。
ESTE SERVIÇO PODE CONTER TRADUÇÕES FORNECIDAS PELO GOOGLE. O GOOGLE SE EXIME DE TODAS AS GARANTIAS RELACIONADAS COM AS TRADUÇÕES, EXPRESSAS OU IMPLÍCITAS, INCLUINDO QUALQUER GARANTIA DE PRECISÃO, CONFIABILIDADE E QUALQUER GARANTIA IMPLÍCITA DE COMERCIALIZAÇÃO, ADEQUAÇÃO A UM PROPÓSITO ESPECÍFICO E NÃO INFRAÇÃO.
