VDI Session Launch Hangs at "Opening" After Upgrading to Citrix Workspace App 2603

Description

Cause:

Starting with CWA 2603, certificate validation was optimized to validate certificates on the client before initiating the TLS handshake, significantly reducing session launch time. As part of this optimization, the certificate chain structure is evaluated, including dependencies between intermediate certificates. If a circular dependency exists in the local certificate store — where Certificate A references Certificate B and Certificate B references Certificate A — the validation cannot complete and the session launch stalls.

This issue is caused by a misconfigured certificate chain on the endpoint, not by CWA.

Note: Circular intermediate certificate dependencies are outside the defined behavior of the X.509 PKI standard. RFC 5280 defines certificate chains as a strictly hierarchical, ordered sequence from leaf through intermediates to a root CA. The path validation algorithm (Section 6.1) assumes a finite, acyclic chain, and mechanisms such as pathLenConstraint enforce bounded path lengths. Circular dependencies are not accommodated by the specification.

Resolution

The Circular certificate dependencies in the endpoint's certificate store need to be fixed to resolve the issue. The specific remediation will depend on the environment. However, here are the actions to follow and fix the certificates with Circular dependencies:

Identify the redundant certificates that creates the cycle from the Intermediate Certification Authorities store as explained in the next section
Export those certificates for backup and then delete them from the Certificate store
Get the certificates with correctly chained versions from your CA administrator
Re-enroll the endpoint to obtain a clean certificate chain

To identify the circular dependency on an end-point, follow the steps below:

On the affected endpoint, open the Windows Certificate Manager (certlm.msc for the local machine store and certmgr.msc for the current user store)
Navigate to Intermediate Certification Authorities > Certificates for both Local Machine and User store separately
Look for intermediate certificates where:
- Certificate A's Authority Key Identifier (AKI) points to Certificate B
- Certificate B's AKI points back to Certificate A
- Below is the screenshot of such an example where both intermediates issue each other. This can be checked by comparing each SKID against the others AKID. In addition, the subject and issuer names show that they issued each other as well.
Ensure the corrected chain follows a valid hierarchical path from leaf through intermediates to root

To verify the certificate chain of the certificates with Circular dependenices, use the below command line:

certutil -verify -urlfetch <certificate_file>

Review the output for any loops or repeated issuers in the chain. Once the circular dependency is resolved, VDI sessions will launch normally.

Workaround:

If certificate remediation cannot be performed immediately, use Workspace for Web (HTML5) to launch sessions, as it does not perform client-side pre-handshake certificate validation.

Issue/Introduction

Applicable Products: Citrix Workspace App for Windows 2603 and later

After upgrading to Citrix Workspace App (CWA) 2603 or later, users may experience the following on endpoints with misconfigured certificates:

A toast notification displaying "Opening <resource name>" appears and persists for approximately 5 minutes before dismissing, but the session never launches

The same users can successfully launch sessions via HTML5 (Workspace for Web)

Additional Information

RFC 5280 — Internet X.509 PKI Certificate and CRL Profile: https://datatracker.ietf.org/doc/html/rfc5280

CWA 2603's optimized certificate validation is more thorough in evaluating certificate chain integrity. Correcting the certificate chain resolves the issue and ensures compliance with the X.509 PKI standard.

Welcome to "KB Articles"