Citrix Cloud Connector versions older than 184.108.40.206833/4.305.0.28833 were signed using a DigiCert code-signing certificate verified by older DigiCert root and intermediate certificates. To comply with industry standards, code signing certificates verified by these older root and intermediates are no longer issued by DigiCert.
As a result, from Citrix Cloud Connector version 220.127.116.11833/4.305.0.28833, the installer has been signed using a DigiCert code signing certificate that is verified by the modern root “DigiCert Trusted Root G4“and the intermediate “DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1”.
The old and new certificate chains can be seen in the screenshots below.
To validate the certificate used to sign the new installer, the Connector requires the new root and intermediate certificates to be installed on the host server.
Root certificates such as the “DigiCert Trusted Root G4” are usually distributed by the Windows Root Certificate Program unless:
- The Turn off Automatic Root Certificate Update policy group policy is in place to block the root certificate update, or
- Connectivity from the Connector host server to the internet is restricted, preventing the update from being downloaded.
Intermediate certificates such as the “DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1” are usually downloaded on demand when the server is presented with a certificate issued by an intermediate authority that is missing from the Windows Certificate store. In this case, the intermediate certificate is downloaded from http://cacerts.digicert.com provided the endpoint is accessible.
Please note that this is an HTTP URL, not HTTPS.
What’s the Impact?
In absence of “DigiCert Trusted Root G4“and the intermediate “DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1” on the Connector host server, The new installation and upgrade to Citrix Cloud Connector version 18.104.22.168833/4.305.0.28833 or later will fail because the certificate chain of the installer cannot be verified.
The new installation of Citrix Cloud Connector will result in the following error.
The Citrix Cloud Connector upgrade process will fail as the installer will not be able to verify the certificate chain of the downloaded upgrade installer.
The Connector upgrade process is silent, however, some of the symptoms of the Citrix Cloud Connector upgrade failure will be visible.
- Every 5 minutes, the connector will download the upgrade installers cwcconnector.exe and cwcconnectorcomponents.exe in C:ProgramDataCitrixWorkspaceCloudInstallExes. After the download is complete, the upgrade will be terminated as the certificate chain of these downloaded installers cannot be verified.
- The log line “The Installer does not have a verifiable certificate chain. Certificate chain status:” is present in one of the logs under C:ProgramDataCitrixWorkspaceCloudArchive