Error: “SSL Error 61: You have not chosen to trust ‘Certificate Authority’…” on Workspace App for Mac

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

For Big Sur, please refer to Add certificates to a keychain using Keychain Access on macOS Big Sur

For Catalina, please refer to Add certificates to a keychain using Keychain Access on macOS Catalina


The default File Format should be Certificate (.cer).

Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.

Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):

User-added image

Related:

  • No Related Posts

How to Configure SSL on XenDesktop Controllers to Secure XML Traffic

From XenDesktop Controller

IIS Installed on XenDesktop Controller

In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.

There are two ways to generate Server Certificates on IIS 7.x:

  • Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)

  • Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.

    User-added image

After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:

  1. Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.

    User-added image

  1. Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.

    User-added image

  1. Open Registry Editor on XenDesktop Controller and look for the following key name.

    HKEY_LOCAL_MACHINESOFTWARECitrixDesktopServer.

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

  1. Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.

    User-added image

  1. Change the XML service port.

    You can do this using PowerShell by running the following command:

    BrokerService –WiSslPort <port number>

    Note
    : If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.

IIS is not Installed on XenDesktop Controller

In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:

  • Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.

  • You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax.

    Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.

    User-added image

After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate

The following is the command that you must use:

netsh http add sslcert ipport=0.0.0.0:<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID}

To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesMYCertificates

User-added image

An alternative to obtain this certificate hash

  1. Open the Server Certificate and under the Details tab, select Thumprint:

    User-added image

  1. Obtain the GUID of the XenDesktop controller Citrix Broker Service.

  2. Open Registry Editor and select Find.

  3. Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOTInstallerProducts (see the following example):

    User-added image

  1. Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:

    Here is command to get the GUID

    Run the below command in Elevated command prompt on the DDC

    wmic product where “Name like ‘Citrix Broker Service'” get Name,identifyingnumber

    IdentifyingNumber

    ​C: >netsh http add sslcert ipport=10.12.37.231:443 certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7}

    Note
    : For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.

A successful bind looks as displayed in the following screen shot:

User-added image

From the Web Interface server

Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.

User-added image

Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).

Related:

  • No Related Posts

SSL Error 76: “The security certificate was revoked” When Launching an Application Using NetScaler Gateway

SSL error 76 occurs when a certificate is revoked and it is part of a Certificate Revocation List (CRL). If the revoked certificate is still in use, the ICA client displays this error.

However, even after replacing the certificate with a valid one, the error could still occur. This might happen because of cached CRLs in the user’s profile or machine cache that still identify the certificate as revoked.

Related:

  • No Related Posts

“Missing Root Certificate” While Launching StoreFront Management Console In Versions 3.0.1000 & 3.0.2000

When launching the StoreFront management console released with LTSR 7.6 Cumulative Update 1 or 2, the following error is displayed in the console:

“The management console is unavailable because a root certificate is missing. Go to VeriSign and download the certificate VeriSign class 3 Primary CA – G5”

StoreFront missing root certificate error

Related:

  • No Related Posts

Error: “Cannot Complete Your Request” Due to Misconfigured or Expired Certificates on StoreFront

Complete the following steps on all the StoreFront servers to troubleshoot this issue:

  1. Open the IIS console > Servername > Server Certificates

1) Make sure the Certificate Issued To name matches the StoreFront Base URL.

2) Make sure the Expiration Date is not expired.

3) View the Certificate Details tab of the certificate, verify it contains a private key. If using a SAN certificate, make sure the StoreFront Base URL is listed under the subject alternative names. Wildcard certificates are also supported.

4) View the Certification Path tab of the certificate, confirm that all the Intermediate and Root certificates are properly installed to complete an SSL Handshake.

For more information regarding Server certificates, refer to Microsoft article

Server Certificate Deployment

Configure intermediate certificates on a computer that is running IIS for server authentication

  1. Open the IIS console > Servername > Sites > Default Web Site > Bindings.
1) Make sure there is a binding for HTTPS over port 443.

2) The SSL certificate matches the StoreFront Base URL.

3) The host name field is empty.

For more information regarding adding a binding, refer to Microsoft article – SSL Bindings

Related:

  • No Related Posts

Error: “SSL Error 61: You have not chosen to trust 'Certificate Authority'…” on Receiver for Windows

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

Update to the Latest Receiver Version

  • Upgrade to the latest version of Receiver to verify if this resolves the issue.
  • If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 – Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.

If this does not resolve the issue then proceed to the next section.

For information on Receiver feature updates refer to – Citrix Receiver Feature Matrix.

Missing Root/Intermediate Certificate

This error message suggests that the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

  1. Download or obtain the SSL root certificate/intermediate certificate (.crt/.cer) file issued by your SSL certificate provider.

    Root certificate/intermediate certificate can be downloaded from your SSL certificate provider’s website or can be obtained on request. Usually root certificate is present in the certificate bundle provided by your SSL service provider along with intermediate and server certificates.

  2. Install the root certificate/intermediate certificate on the client machine.

  3. If an antivirus is installed on the client machine then ensure that the antivirus trusts the certificate.

This process pairs your client machines with the server machine, and is necessary if you do not use a certificate verified by a commercial SSL certificate provider. Most commercial certificate providers arrange to have their certificates pre-installed on machines through an agreement with the operating system creator (Microsoft, Apple, and so on).

User-added image

Server Certificate is Not RFC 3280 Compliant

SSL Error 61 can occur when the server certificate is not compliant with the instructions in RFC 3280 regarding the Enhanced Key Usage field.

The system administrator might need to contact the certificate authority who sold the faulty certificate and inform them that the certificate is in violation of RFC 3280. Also ask the certificate authority to issue a new certificate that contains the following key usage value in addition to any other required values:

Server Authentication (1.3.6.1.5.5.7.3.1)

NetScaler Gateway acts as an SSL server, so Server Authentication (1.3.6.1.5.5.7.3.1) must be listed among the designated key uses if any are present. If the Extended Key Usage field is not present in the certificate, the certificate might be considered valid.

Some certificate authorities erroneously issue certificates that contain only the following key usage extensions that indicate support for Server-Gated Cryptography (SGC):

  • Unknown Key Usage (2.16.840.1.113730.4.1)

  • Unknown Key Usage (1.3.6.1.4.1.311.10.3.3)

These extensions are intended as a signal to Netscape and Internet Explorer web browsers that they should negotiate 128-bit encryption regardless of the normal capabilities of the client. They have no effect on the ICA client. When these two values are the only items listed in the Enhanced Key Usage field, the certificate is in violation of RFC 3280 and should be rejected by SSL clients seeking server authentication.

User-added image

Note: Not all SGC compliant certificates are missing the Server Authentication value and not all invalid certificates are SGC compliant.

After you receive an updated certificate with the correct usage fields listed, replace the certificate on your NetScaler Gateway server using the MMC Certificates snap-in.

Related:

  • No Related Posts

How to Convert a PKCS #7 Certificate to PEM Format for Use with NetScaler

This article describes how to convert a certificate that is received from the Certificate Authority (CA) in PKCS #7 format to PEM format.

Background

This is an alternative method of converting a PKCS #7 Certificates to PEM format, rather than using Open SSL, which sometimes might not work correctly. You receive a certificate from the CA in PKCS #7 [Crypto Graphic message syntax standard] format. The file extension for the certificate is .p7b.

Related:

  • No Related Posts

Citrix Studio Slow on Start Up with Error: This snap-in is not responding

To resolve this issue, you can either provide the computer with internet access so it can verify the Authenticode signature, or disable the Authenticode signature checking feature for Microsoft Management Console as shown in the following snap- in.

Within the Internet Explorer, clear Check for publisher’s certificate revocation, as displayed in the following screen shot:

(Accessible through: Tools > Internet Options > Advanced (tab) > Security (Item))

Check for publisher’s certificate revocation

Related:

Error:”An SSL connection to the server couldn't be established” while trying to authenticate to StoreFront using Linux Receiver

1. Obtain the root certificate in PEM format.

Tip: If you cannot find a certificate in this format, use the openssl utility to convert a certificate in CRT format to a .pem file.

2. As the user who installed the package (usually root):

  • Copy the file to $ICAROOT/keystore/cacerts.
  • Run the following command: $ICAROOT/util/ctx_rehash

Related:

  • No Related Posts