and I spend a week looking for the answer – the basic searches lead to dead ends with old articles about server side stuff
searches like
citrix receiver COMODO RSA
don’t help you find the “good stuff”
the good stuff is #5 here:
https://help.ubuntu.com/community/CitrixICAClientHowTo
quoteing for posterity
By default, Citrix Receiver only trusts a few root CA certificates, which causes connections to many Citrix servers to fail with an SSL error. The 'ca-certificates' package (already installed on most Ubuntu systems) provides additional CA certificates in /usr/share/ca-certificates/mozilla/ that can be conveniently added to Citrix Receiver to avoid these errors: sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/ sudo c_rehash /opt/Citrix/ICAClient/keystore/cacerts/