Jump to content
Welcome to our new Citrix community!
  • 0

Workspace Linux client - PIV smartcard for Win10 VM "No valid certificates were found on this smart card."

Charles Kilby


Linux Debian 10, after logging into my organization's Citrix workplace website and authenticating using a PIV smartcard, I launch a Win10 desktop which loads a Citrix Workspace Engine .ica file. Workspace engine loads successfully and I am presented with the Win10 vm's login screen but it says under "Other user" "No valid certificates were found on this smart card."


PIV access to the workplace website and other websites has no issue in Firefox.


I'm stumped why it's not popping up, here's what I've tried:

1. Installed PIV card milddleware opensc and added my smartcard PIV's CAs to Firefox. I have had no issues logging into my organization's websites with PIV authentication.


2. The Citrix Workplace app for Linux x86_64 is installed (icaclient_19.12.0.19_amd64.deb)

a. Citrix configuration was modified to point to the opensc middleware. This was by modifying  /opt/Citrix/ICAClient/config/AuthManConfig.xml under the PKCS11module value like so: <value>/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so</value>


b. The Citrix keystore has been updated with the CA authority's chain for my PIV card by copied to the Mozilla keystore and symlinked. This was done by going to the URL "about:preferences#privacy" ->Authorities, scroll down to my organization's section, and then selecting them all and choosing “Export...” and save each .crt file to a local folder. I navigated to the folder I saved them in, and moved them into the mozilla root store at /usr/share/ca-certificates/mozilla/
Then, I symlinked all the Mozilla certificates into the Citrix keystore with:
sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts


3. The logs and Citrix pre-requisite utility checks didn't show any error, but I cannot tell if the smart card is not being grabbed by Citrix.

a. To turn on Citrix logging I opened "/opt/Citrix/ICAClient/config/module.ini" in the [WFClient] section set SyslogThreshold from 0 to 7 with "SyslogThreshold=7" then to check citrix logs did:
sudo cat /var/log/syslog | grep wfica

b. To turn on opensc logging modify the config sudo nano /etc/opensc/opensc.conf to add these lines under the default { line:

debug = 3; debug_file = opensc-debug.txt;

Then to check opensc logs:

cat ~/opensc-debug.txt

c. To check Citrix pre-requisites, I ran the Citrix script here:

cd /opt/Citrix/ICAClient/util/ ./hdxcheck.sh

This showed Citrix has smart card support:

Success! - Libpcsclite.so installed. Smartcard support enabled. libpcsclite was found on your system but it's version could not be determined. Make sure you have version 1.5.6 or later

Then to check libpcslite version (mine shows 1.8.24):

/usr/sbin/pcscd --version

I'm not sure where to go next. I tried superuser forums but got down voted so deleting that. I'm hoping someone here recognizes a step I've missed. It looks from the documentation that a smartcard issue where it was not presenting the PIN login popup was resolved in this release of workspace.

Link to comment

3 answers to this question

Recommended Posts

  • 0

Resurrecting this thread in the hopes that you or someone else may have figured this out... I'm having exactly the same issue. Have tested with several recent versions of Citrix Workspace for Linux. I'm on Debian 11.


Smartcard pass-through to a Windows VDI was working fine until I was issued a new Idemia smartcard. The new card works fine for authentication in Firefox from the Linux desktop, but when I reach the Windows login screen at the VDI I get the same "No valid certificates" error mentioned above.


I think the issue may be related to the new smartcard since (a) the old one worked fine with the same client setup, and (b) the new one works fine from a Windows 10 client.

Link to comment
  • 0

Running Ubuntu 22.04 Jammy Jellyfish. Everything seems to be installed and configured correctly but having the exact same issue.. I am able to login to the companys public Citrix portal page with my smartcard. Clicking on the VDI does load the VDI successfully and come up to a Windows logon screen but comes back with "No Valid certificates..." If I remove the smartcard while on the Windows logon screen, it changes to say no card inserted...

Everything works perfectly when logging on from a Windows client using the exact same card reader and smart card.

Below are the results from the Smartcard section output after running the WorkspaceCheck.sh script:
-- Checking Smartcard Support ... -
Success! - libpcsclite.so is installed.
libpcsclite was found on your system but it's version could not be determined.
Make sure you have version 1.5.6 or later
Success! - pcscd is running.
Success! Smartcard support is enabled.


Link to comment
  • 0

Yes, we aren't able to use PIV on our Linux-based thin clients that run CWAL to our Windows 10 desktops. Verified card working in Windows 10-based clients, also verified the card doesn't work on Ubuntu 22.04.


We've contacted Citrix support and it's been basically confirmed that it's an issue with CWAL and the IDEMIA card, but they have no timetable on a possible fix. Hopefully they address it soon.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...