Error “Could not import the certificate” when uploading external SSL certificate to Citrix Endpoint Management console

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes

2. Extract the certificate to certificate.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem

3. Open certificate.pem in a text editor

Copy 1st Certificate from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_cert.pem

Copy next 2 or more certificates from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_intermediateandroot.pem

4. Verify ssl cert.

openssl x509 -text -noout -in ssl_cert.pem

5. Verify certificate chain.

openssl x509 -text -noout -in ssl_intermediateandroot.pem

6. Export combined pfx file

openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem

Note: This step will ask for a password.

Related:

  • No Related Posts

Error “Could not import the certificate” when uploading external SSL certificate to Citrix Endpoint Management console

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes

2. Extract the certificate to certificate.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem

3. Open certificate.pem in a text editor

Copy 1st Certificate from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_cert.pem

Copy next 2 or more certificates from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_intermediateandroot.pem

4. Verify ssl cert.

openssl x509 -text -noout -in ssl_cert.pem

5. Verify certificate chain.

openssl x509 -text -noout -in ssl_intermediateandroot.pem

6. Export combined pfx file

openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem

Note: This step will ask for a password.

Related:

  • No Related Posts

Error “Could not import the certificate” when uploading external SSL certificate to Citrix Endpoint Management console

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes

2. Extract the certificate to certificate.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem

3. Open certificate.pem in a text editor

Copy 1st Certificate from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_cert.pem

Copy next 2 or more certificates from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_intermediateandroot.pem

4. Verify ssl cert.

openssl x509 -text -noout -in ssl_cert.pem

5. Verify certificate chain.

openssl x509 -text -noout -in ssl_intermediateandroot.pem

6. Export combined pfx file

openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem

Note: This step will ask for a password.

Related:

  • No Related Posts

Error “Could not import the certificate” when uploading external SSL certificate to Citrix Endpoint Management console

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes

2. Extract the certificate to certificate.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem

3. Open certificate.pem in a text editor

Copy 1st Certificate from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_cert.pem

Copy next 2 or more certificates from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_intermediateandroot.pem

4. Verify ssl cert.

openssl x509 -text -noout -in ssl_cert.pem

5. Verify certificate chain.

openssl x509 -text -noout -in ssl_intermediateandroot.pem

6. Export combined pfx file

openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem

Note: This step will ask for a password.

Related:

  • No Related Posts

Error “Could not import the certificate” when uploading external SSL certificate to Citrix Endpoint Management console

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes

2. Extract the certificate to certificate.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem

3. Open certificate.pem in a text editor

Copy 1st Certificate from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_cert.pem

Copy next 2 or more certificates from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_intermediateandroot.pem

4. Verify ssl cert.

openssl x509 -text -noout -in ssl_cert.pem

5. Verify certificate chain.

openssl x509 -text -noout -in ssl_intermediateandroot.pem

6. Export combined pfx file

openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem

Note: This step will ask for a password.

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Open the Keychain Access in the Applications > Utilities folder:

    User-added image

  2. Highlight the X509 Anchors Keychain in the menu (you might have to authenticate to do this).

  3. Browse through the Certificate Authorities to find the company that has issued the certificate that is being used by the Secure Gateway/NetScaler Gateway – for this example, Thawte Premium Server CA:

    User-added image

  4. Highlight the certificate and select File > Export from the menu bar:

    User-added image

  5. The default File Format should be Certificate (.cer).

    Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

  6. Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

    User-added image

User-added image

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Open the Keychain Access in the Applications > Utilities folder:

    User-added image

  2. Highlight the X509 Anchors Keychain in the menu (you might have to authenticate to do this).

  3. Browse through the Certificate Authorities to find the company that has issued the certificate that is being used by the Secure Gateway/NetScaler Gateway – for this example, Thawte Premium Server CA:

    User-added image

  4. Highlight the certificate and select File > Export from the menu bar:

    User-added image

  5. The default File Format should be Certificate (.cer).

    Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

  6. Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

    User-added image

User-added image

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Open the Keychain Access in the Applications > Utilities folder:

    User-added image

  2. Highlight the X509 Anchors Keychain in the menu (you might have to authenticate to do this).

  3. Browse through the Certificate Authorities to find the company that has issued the certificate that is being used by the Secure Gateway/NetScaler Gateway – for this example, Thawte Premium Server CA:

    User-added image

  4. Highlight the certificate and select File > Export from the menu bar:

    User-added image

  5. The default File Format should be Certificate (.cer).

    Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

  6. Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

    User-added image

User-added image

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Open the Keychain Access in the Applications > Utilities folder:

    User-added image

  2. Highlight the X509 Anchors Keychain in the menu (you might have to authenticate to do this).

  3. Browse through the Certificate Authorities to find the company that has issued the certificate that is being used by the Secure Gateway/NetScaler Gateway – for this example, Thawte Premium Server CA:

    User-added image

  4. Highlight the certificate and select File > Export from the menu bar:

    User-added image

  5. The default File Format should be Certificate (.cer).

    Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

  6. Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

    User-added image

User-added image

Related:

  • No Related Posts

Error: “Invalid Certificate” When Installing SSL Certificate on ADC Appliance

Hidden Control Characters in CertificateKey File

You can use OpenSSL implementation of BSD Unix distribution on ADC to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the/nsconfig/ssl directory of the ADC appliance.

    The Certificate and Key files can also be uploaded to the ADC using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:

    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the ADC appliance by using the new exported version of the files.

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 – How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Related:

  • No Related Posts