Linux Virtual Delivery Agent

Secure HDX (preview)

You can encrypt ICA sessions end-to-end between the Citrix Workspace app (client) and the VDA (session host).

The end-to-end encryption (E2EE) feature allows no intermediate network elements including the Citrix Gateway to decrypt the ICA traffic. It uplifts the secure posture of your environment and is easy to configure and manage.

System requirements

  • Linux VDA minimum version 2311
  • Delivery Controller minimum version 2308
  • StoreFront minimum version 2308
  • Citrix Workspace app for Windows minimum version 2308

Configuration

Enable end-to-end encryption

The end-to-end encryption (E2EE) feature is disabled by default. To enable it, set the Secure HDX policy to Enabled in Citrix Studio.

Schedule certificate renewals

The end-to-end encryption (E2EE) feature requires a self-signed certificate and its private key that the ctxcertmgr service on the Linux VDA manages.

A new self-signed certificate is created when the ctxcertmgr service starts or restarts. By default, the ctxcertmgr service renews the certificate (including its private key) every 7 days at the time 2:00 AM. You can also schedule certificate renewals with registry settings similar to the following:

/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\SecureHDX" -t "REG_SZ" -v "CaRotationStartDate" -d "2023-10-19" --force

/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\SecureHDX" -t "REG_SZ" -v "CaRotationTime" -d "00:45:30" --force

/opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\SecureHDX" -t "REG_DWORD" -v "CaRotationPeriod" -d "0x00000005" --force
<!--NeedCopy-->

In the above example, the first certificate renewal time is set at 00:45:30 on 2023-10-19. After that, the ctxcermgr service renews the certificate every 5 days at 00:45:30. The scheduled date and time are the date and time on the Linux VDA.

Secure HDX (preview)