SHA2 Certificates and Citrix Receiver Support

Please be advised of a SSL certificate issue when updating or purchasing new SSL Certificates for your Citrix implementations. You will want to ensure that you purchase a SHA1 Cert and not a SHA2 cert which is currently being sold by Vendors for a cert set to expire in three (3) years or that expire during or after 2017. You will more than likely have to call your vendor and have them reissue a SHA1 cert that expires at the end of 2016 to ensure that you are functional until Citrix updates their Citrix Receivers to support SHA2 across all products.

Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only.

The following Citrix Receiver models do not support SHA2 as of 2/25/2014 – This mostly affects the mobile receiver.

  • Linux 13.0
  • IOS 5.8.3
  • Android 3.4.13
  • HTML 5 1.2
  • Playbook 1.0
  • Blackberry 2.2 / BlackBerry 1.0 Tech Preview

 The following Citrix Receiver models do support SHA2 as of 2/25/2014

  • Windows 4.1 (std)
  • Windows 3.4 (ent)
  • Windows 8/RT (1.4)
  • Windows Phone 8 (1.1)
  • Mac 11.8.2 

Please see the Citrix Receiver Feature Matrix for an updated list

For more information on the deprecation of SHA1 from Microsoft, please visit the following link from Microsoft.

You can view the algorithm of the Certificate by viewing the Certificate and looking at the Details tab.


One Response to SHA2 Certificates and Citrix Receiver Support

  1. I was told Receiver for IOS will be supported with the latest release made available 2014 Q2. As of today, still not supported in latest Receiver download. Also, no verification yet when (if) Citrix Secure Gateway will support this. We have had some success launching SHA-2 encrypted applications using CSG 3.2 and 3.3, but many problems still.