This article outlines the new certificate requirement for installing/upgrading Citrix Cloud Connector since 2023 Q1. CTX223828 outlines all the certificates required for the Citrix Cloud Connector. However, this article explains the subset of changes that came into effect in 2023 Q1. 

Details

Citrix Cloud Connector versions older than 6.57.0.28833/4.305.0.28833 were signed using a DigiCert code-signing certificate verified by older DigiCert root and intermediate certificates. To comply with industry standards, code signing certificates verified by these older root and intermediates are no longer issued by DigiCert.

As a result, from Citrix Cloud Connector version 6.57.0.28833/4.305.0.28833, the installer has been signed using a DigiCert code signing certificate that is verified by the modern root “DigiCert Trusted Root G4“and the intermediate “DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1”.

The old and new certificate chains can be seen in the screenshots below.

To validate the certificate used to sign the new installer, the Connector requires the new root and intermediate certificates to be installed on the host server.

Root certificates such as the "DigiCert Trusted Root G4” are usually distributed by the Windows Root Certificate Program unless:

• The Turn off Automatic Root Certificate Update policy group policy is in place to block the root certificate update, or
• Connectivity from the Connector host server to the internet is restricted, preventing the update from being downloaded.

What's the Impact?

Installation Failure

The new installation of Citrix Cloud Connector will result in the following error.

Upgrade Failure

The Citrix Cloud Connector upgrade process will fail as the installer will not be able to verify the certificate chain of the downloaded upgrade installer.

The Connector upgrade process is silent, however, some of the symptoms of the Citrix Cloud Connector upgrade failure will be visible.

1. Every 5 minutes, the connector will download the upgrade installers cwcconnector.exe and cwcconnectorcomponents.exe in C:\ProgramData\Citrix\WorkspaceCloud\InstallExes. After the download is complete, the upgrade will be terminated as the certificate chain of these downloaded installers cannot be verified.

2. The log line "The Installer does not have a verifiable certificate chain. Certificate chain status:" is present in one of the logs under C:\ProgramData\Citrix\WorkspaceCloud\Archive

 

Instructions

1. Manually download the certificates from the following URLs and install the missing root and intermediate certificates to the machine store within the Windows Certificate store of the Connector host server. The certificates installed in the machine store are inherited by all the users on the server.

• Root cert https://cacerts.digicert.com/DigiCertTrustedRootG4.crt (This certificate is also accessible using HTTP URL) should be installed within the “Trusted Root Certification Authorities” folder in the machine store.
• Intermediate cert https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
  (This certificate is also accessible using HTTP URL) should be installed within the “Intermediate Certification Authorities” folder in the machine store.

• Using Cloud Connector Connectivity Check Utility version 1.7.0.4 or newer.
  
• Visual verification of certificate using Certificate Manager machine store.
  

• Using the command prompt to query the registry with the following command.

reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\root\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
reg query HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4

reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C
reg query HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C

2. Resolve the underlying issue that prevents the automatic download of root and intermediate certificates. This involves the following:

• Review if the Turn off Automatic Root Certificate Update policy group policy is in place to block the root certificate update.
• Check if the Connectivity from the Connector host server to the internet is restricted which prevents the root certificate update.
• Ensure that http://cacerts.digicert.com is accessible from the Connector host server; Please note that this is an HTTP URL, not HTTPS.

• During the New installation of the Connector, the certificate validation of the installer is performed within cwcconnector.exe, so the intermediate certificate is downloaded and installed in the user store of the user who initiated the install. The downloaded certificate can be verified by querying the registry using the following command

reg query HKCU\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C

• During an upgrade, the installer certificate validation is performed by "Citrix Cloud Services Agent WatchDog" Windows Service which is running in the context of "Network Service". In this case, the intermediate certificate is downloaded and installed in the user store of the "Network Service" identity. The downloaded certificate can be verified by querying the registry using the following command

reg query HKU\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C