App Layering – The issuing certificate does not have a usable private key

NOTE: If the below steps do not work review, ask for the additional steps in CTX280659.

Create a new Citrix App Layering Connector through the Enterprise Layer Manager Console:

In case this step does not resolve this issue, let’s apply the steps below.

Run these commands from the hypervisor console or an SSH connection to the ELM:

  • certmgr -list -c -m My | grep -C 3 JwtCertificate
  • certmgr -del -c -m My <UniqueHashHere>
    • <UniqueHashHere> should be the hash from the list command without <>

Rerun the list command to verify nothing is reported back. If you still see a certificate then something is went wrong with the delete:

  • certmgr -list -c -m My | grep -C 3 JwtCertificate

This will regenerate the certificate:

  • systemctl restart maservice

Run the list command again to verify the cert was regenerated with today’s date:

  • certmgr -list -c -m My | grep -C 3 JwtCertificate


  • No Related Posts

Leave a Reply