With Citrix 2511, we migrated to Citrix Cloud DaaS with authentication via Microsoft Entra ID. Apparently, not all SSL certificates for Entra ID and Citrix Cloud are included by default in IGEL OS, or they are located in the wrong client path. During login, users occasionally received the error “unacceptable TLS certificate”, even though we had deployed the required SSL certificates (Citrix Cloud and Microsoft Login root and intermediate certificates) to the thin clients. However, the IGEL UMS imports them into the client path /wfs/ca-certs/. According to the documentation, the Citrix Workspace App for Linux does not check this path (see “Supports system certificate paths for SSL connection” at https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/system-requirements).
For the certificate import, it would be useful to have a multi‑selection option for the client path (system path + additional path). After importing again with the classification “Not defined” and the client path /opt/Citrix/ICAClient/keystore/cacerts/, it now seems to work.
Certificate Authorities used by Citrix Cloud and Microsoft should be included by default and be available for the Citrix Workspace App for Linux (correct client path /opt/Citrix/ICAClient/keystore/cacerts/ or another commonly used standard client path such as /etc/ssl/certs/).