Citrix Workspace app for iOS
certificate
• the server or gateway configuration includes a cross-signed intermediate certificate
When validating a server certificate, Citrix Workspace app for iOS now uses all the certificates sup-
plied by the server (or gateway) when validating the server certificate. As in previous releases, Citrix
Workspace app for iOS then also checks that the certificates are trusted. If the certificates are not all
trusted, the connection fails.
This policy is stricter than the certificate policy in web browsers. Many web browsers include a large
set of root certificates that they trust.
The server (or gateway) must be configured with the correct set of certificates. An incorrect set of
certificates might cause Citrix Workspace app for iOS connections to fail.
Suppose a gateway is configured with these valid certificates. This configuration is recommended
for customers who require stricter validation, by determining exactly which root certificate is used by
Citrix Workspace app for iOS:
• “Example Server Certificate”
• “Example Intermediate Certificate”
• “Example Root Certificate”
Then, Citrix Workspace app for iOS will check that all these certificates are valid. Citrix Workspace app
for iOS will also check that it already trusts “Example Root Certificate”. If Citrix Workspace app for iOS
does not trust “Example Root Certificate”, the connection fails.
Important
Some certificate authorities have more than one root certificate. If you require this stricter valida-
tion, make sure that your configuration uses the appropriate root certificate. For example, there
are currently two certificates (“DigiCert”/”GTE CyberTrust Global Root”, and “DigiCert Baltimore
Root”/”Baltimore CyberTrust Root”) that can validate the same server certificates. On some user
devices, both root certificates are available. On other devices, only one is available (“DigiCert Bal-
timore Root”/”Baltimore CyberTrust Root”). If you configure “GTE CyberTrust Global Root” at the
gateway, Citrix Workspace app for iOS connections on those user devices will fail. Consult the cer-
tificate authority’s documentation to determine which root certificate should be used. Also note
that root certificates eventually expire, as do all certificates.
Then, Citrix Workspace app for iOS will use these two certificates. It will then search for a root certifi-
cate on the user device. If it finds one that validates correctly, and is also trusted (such as “Example
Root Certificate”), the connection succeeds. Otherwise, the connection fails. Note that this configu-
ration supplies the intermediate certificate that Citrix Workspace app for iOS needs, but also allows
Citrix Workspace app for iOS to choose any valid, trusted, root certificate.
Now suppose a gateway is configured with these certificates:
• “Example Server Certificate”
© 1999-2020 Citrix Systems, Inc. All rights reserved. 28