Error: “SSL Error 61: You have not chosen to trust ‘Certificate Authority’…” on Workspace App for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

For Big Sur, please refer to Add certificates to a keychain using Keychain Access on macOS Big Sur

For Catalina, please refer to Add certificates to a keychain using Keychain Access on macOS Catalina


The default File Format should be Certificate (.cer).

Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

User-added image

Related:

  • No Related Posts

Error: “Certificate with key size greater than RSA512 or DSA512 bits not supported” on NetScaler

To resolve this issue, apply any or both of the following resolutions, as required:

After applying the required resolution, the additional ciphers are available and you can add a certificate that has a key size greater than 512 bits. The NetScaler appliance supports certificates with key size 512, 1024, 2048, and 4096 bits.

Related:

  • No Related Posts

Error “Your smart card does not have a valid certificate” when using Citrix Receiver for iOS 7.3 with iOS 11

This article is intended for Citrix administrators and technical teams only.

Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.

When users try to connect to Storefront or NetScaler Gateway using smart cards (PIV or CAC) using Citrix Receiver 7.3 for iOS or earlier versions on iOS 11 devices, users may receive the following error message “Your smart card does not have a valid certificate”.

User-added image

However, users connecting from iOS 9 and 10 devices will not face this error and will be able to use smart cards to authenticate to Storefront or NetScaler Gateway.

Related:

  • No Related Posts

Error “Could not import the certificate” when uploading external SSL certificate to Citrix Endpoint Management console

To repackage the certificate keystore, rebuild the keystore using the old one.

1. Extract Private key from the old keystore to private-key.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nocerts -out private-key.pem -nodes

2. Extract the certificate to certificate.pem

openssl pkcs12 -in <oldkeystorefile>.pfx -nokeys -out certificate.pem

3. Open certificate.pem in a text editor

Copy 1st Certificate from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_cert.pem

Copy next 2 or more certificates from “—-BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–” to file called ssl_intermediateandroot.pem

4. Verify ssl cert.

openssl x509 -text -noout -in ssl_cert.pem

5. Verify certificate chain.

openssl x509 -text -noout -in ssl_intermediateandroot.pem

6. Export combined pfx file

openssl pkcs12 -export -out ssl_cert_with_full_chain.pfx -inkey private-key.pem -in ssl_cert.pem -certfile ssl_intermediateandroot.pem

Note: This step will ask for a password.

Related:

  • No Related Posts

Unable to use TLS/SSL LDAP Auth after ADM upgrade to latest build 13.0-71.40 – TLS Handshake fails with “Unknown CA”

Permanent fix provided in next build ADM 13.0-76.xx and above.

Workaround ::

=====================

Execute one of these commands in ADM CLI to overwrite Certificate attribute retrieval faulty code. Customers can keep the existing LDAP Settings, no need to change anything. External authentication should work correctly now over SSL/TLS Security.

For SSL

LDAPTLS_REQCERT=never ldapsearch -D CN=[service_account],CN=users,DC=lab,DC=com -H ldaps://[ldap_ip]:636 -b DC=lab,DC=com -Z -A -o nettimeout=3 -w [passwd]

For TLS

LDAPTLS_REQCERT=never ldapsearch -D CN=[service_account],CN=users,DC=lab,DC=com -H ldap://[ldap_ip]:389 -b DC=lab,DC=com -Z -A -o nettimeout=3 -w [passwd]

Customers can safely proceed and configure LDAP server with security type TLS/SSL. There wouldn’t be any impact.

Related:

  • No Related Posts

SSL Error 76: “The security certificate was revoked” When Launching an Application Using NetScaler Gateway

SSL error 76 occurs when a certificate is revoked and it is part of a Certificate Revocation List (CRL). If the revoked certificate is still in use, the ICA client displays this error.

However, even after replacing the certificate with a valid one, the error could still occur. This might happen because of cached CRLs in the user’s profile or machine cache that still identify the certificate as revoked.

Related:

  • No Related Posts

“Missing Root Certificate” While Launching StoreFront Management Console In Versions 3.0.1000 & 3.0.2000

When launching the StoreFront management console released with LTSR 7.6 Cumulative Update 1 or 2, the following error is displayed in the console:

“The management console is unavailable because a root certificate is missing. Go to VeriSign and download the certificate VeriSign class 3 Primary CA – G5”

StoreFront missing root certificate error

Related:

  • No Related Posts

Error: “Cannot Complete Your Request” Due to Misconfigured or Expired Certificates on StoreFront

Complete the following steps on all the StoreFront servers to troubleshoot this issue:

  1. Open the IIS console > Servername > Server Certificates

1) Make sure the Certificate Issued To name matches the StoreFront Base URL.

2) Make sure the Expiration Date is not expired.

3) View the Certificate Details tab of the certificate, verify it contains a private key. If using a SAN certificate, make sure the StoreFront Base URL is listed under the subject alternative names. Wildcard certificates are also supported.

4) View the Certification Path tab of the certificate, confirm that all the Intermediate and Root certificates are properly installed to complete an SSL Handshake.

For more information regarding Server certificates, refer to Microsoft article

Server Certificate Deployment

Configure intermediate certificates on a computer that is running IIS for server authentication

  1. Open the IIS console > Servername > Sites > Default Web Site > Bindings.
1) Make sure there is a binding for HTTPS over port 443.

2) The SSL certificate matches the StoreFront Base URL.

3) The host name field is empty.

For more information regarding adding a binding, refer to Microsoft article – SSL Bindings

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Open the Keychain Access in the Applications > Utilities folder:

    User-added image

  2. Highlight the X509 Anchors Keychain in the menu (you might have to authenticate to do this).

  3. Browse through the Certificate Authorities to find the company that has issued the certificate that is being used by the Secure Gateway/NetScaler Gateway – for this example, Thawte Premium Server CA:

    User-added image

  4. Highlight the certificate and select File > Export from the menu bar:

    User-added image

  5. The default File Format should be Certificate (.cer).

    Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

  6. Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

    User-added image

User-added image

Related:

  • No Related Posts