ACTION REQUIRED: Critical Certificate Update for Citrix Cloud Connector

book

Article ID: CTX696429

calendar_today

Updated On:

Description

Problem Description: 

The Citrix Gateway service is transitioning it's Root Certificate Authority (CA) from the DigiCert Global Root CA to the newer DigiCert Global Root G2.
The Citrix NetScaler Cloud Gateway component within the Cloud Cloud Connector historically relies on an internal bundled certificate store (located at C:\Program Files\Citrix\NetScaler Cloud Gateway\certs).
  • The Conflict: Older Connector versions do not have the DigiCert Global Root G2 certificate in their internal bundle.
  • The Result: Once Citrix rotates the certificate for the Gateway service, these Connectors will fail the TLS handshake and be unable to communicate with Citrix Gateway Service.

Note: This issue is specific to the Citrix Cloud Connector (Windows). The Citrix Connector Appliance (Linux-based) is not impacted.
 
Impact Identification:
If you meet any of the following criteria, you might be potentially impacted by this issue:
  • US Government and Japan Customers: All customers with Connectors registered to citrix.cloud.us or citrix.citrixcloud.jp are impacted by this issue.
  • Commercial Customers: A specific subset of customers with Connectors registered to citrix.cloud.com are impacted by this issue.
 
All impacted customers have been proactively identified, and a new version of Citrix Cloud Connector containing a fix for this issue has been deployed to your tenant.

Resolution

Resolution & Required Versions:

Citrix is deploying two specific builds to address this issue. Your connectors will automatically receive one of the following updates:

Build Type
Full Connector Version
Required Component Version
Immediate Mitigation
6.141.0.X
4.420.700.18996
Long-Term Fix
6.148.0.X
4.438.200.18998 (or higher)
 
 
  • The Immediate Mitigation Build updates the internal bundle to include both the legacy and the new Root CAs.
  • The Long-Term Structural Build includes both certificates AND changes the default behavior to utilize the Windows System Certificate Store, which will remove the future dependency on manual bundle updates.

If you are an impacted customer, you will see an alert in the Citrix Cloud Admin Console referencing this CTX article.

image.png

You have a pending Connector upgrade pushed or scheduled between March 19, 2026, and March 26, 2026 as shown in the notification.

 
image.png

Issue/Introduction

Citrix is announcing a mandatory update for the Citrix Cloud Connector (Windows) to ensure continued connectivity with the Citrix Gateway service. Shortly after April 5, 2026, Citrix will begin updating the TLS certificates on the Gateway service.
Failure to update your Cloud Connectors to the required versions before this date will result in a service outage, as legacy Connector builds will no longer trust the Gateway service’s secure connection.

Additional Information

How to Verify Your Upgrade Status:
To ensure your environment is prepared for the April 5th deadline, follow these steps:
 
1. Check the Resource Location Status
Once the upgrade is pushed or scheduled (between March 19 and March 26), navigate to the notifications page in Citrix Cloud. A successful update for a resource location will be indicated by an "All Cloud Connectors in resource location '<Location Name>' have been successfully upgraded" status message as shown below.
 
image.png
 
2. Confirm the Component Version for a Connector
Navigate to the Resource Locations page in Citrix Cloud. Open the details for your Cloud Connector. Please note that the Connector Components version is the relevant metric for this fix, as the Citrix NetScaler Cloud Gateway Provider is bundled within these components. Ensure the Connector Components version matches one of the two following versions.
    • 4.420.700
    • 4.438.200 (or higher)
Note on Version Display: While the full version string for the Connector and its Components contains four segments (e.g., 4.420.700.18996), the Citrix Cloud console typically displays only the first three segments (e.g., 4.420.700). These first three segments are the primary identifiers used to determine upgrade eligibility and version compliance for this fix.
 
image.png
 

Important Timelines:

Date
Milestone
March 19 – March 26, 2026
Deployment Window: Hotfix builds are rolled out to a subset of impacted customers.
March 26, 2026
Direct Notification: Final outreach to impacted customers begins.
April 5, 2026
Upgrade Deadline: All Connectors must be on a compliant version.
Shortly after April 5
Gateway Cert Rotation: The Gateway Service TLS certificate is updated.

 
Powered by Wolken Software