Certificate error when using Citrix Receiver

Question

I am getting this error when attempting to load a Desktop module up within Citrix Receiver:

What I don't understand is I can see this particular certificate is set to "Trust.." under any/all circumstances that I can find. This only happens in Ubuntu, and I did not installed any certificates (manually) on either partition when trying to correct the issue. The browser also appears to be irrelevant (Chrome/Firefox both generate the same error). Forgive my ignorance on certificates, but this seems to be beyond my expertise.

There are a few places I've looked through various search engines, and I found other users who have had similar issues with certificates in the Linux Citrix Receiver, but I'm not sure what's wrong with this certificate, as none of the other suggestions I've tried have worked so far, and they're too numerous to go into detail... so I'd like to take it from here and see what you all can offer up.

Answer 1

To prevent the SSL error 61 when accessing remote sessions:

Make Firefox's certificates accessible to Citrix,

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
sudo /opt/Citrix/ICAClient/util/ctx_rehash

^{Source: Citrix help page}

Answer 2

Newer versions of the receiver require you to convert the CRT file to PEM, place the crt in a specific directory, and run a citrix utility.

If your installation is in /opt/Citrix/ICAClient and assuming the signing root certificate or CA is an existing one in ca-certificates:

1. Get to the certificates directory:

cd /usr/share/ca-certificates/mozilla/

2. Convert the desired CRT to PEM :

sudo openssl x509 -outform pem -in [SIGNING_CERTIFICATE_YOU_ID_FROM_COMPANY_WEBSITE.crt] -out [NEW_CERT_PICK_YOUR_NAME.pem]

3. Link it to the Citrix directory and rehash:

sudo ln -s NEW_CERT /opt/Citrix/ICAClient/keystore/cacerts/
cd /opt/Citrix/ICAClient/util
sudo ./ctx_rehash

If the CA is not a known and trusted one present in the /usr/share/ca-certificates/mozilla directory mentioned above:

1. Download it using your browser's security info on the site

2. Convert it to PEM Move it, and rehash: Step 3 above.

Left the crossed out text for anyone needing those instructions for whatever reason but I recently tested just moving the CRT to the directory and the rehash utility will convert as needed.

Answer 3

some users (like me) might find that even after linking Firefox to the cacerts folder the error persists.

That appears to be because Citrix does not supply all of the latest certificates.

The solution appears to be to note the certificate said to be "not trusted" (eg "Verisign Class 3 Public Primary Certification Authority - G5") then export it from Firefox (under the Preferences menu then Certificates) to */ICAClient/keystore/cacerts.

Worked for me. Hope this helps.

Answer 4

a bit late to the discussion, but found the below to work for version 23.3.0.32. got this from Peter Smith's answer here. i was having a difficult time with .crt vs .pem certificate extensions and this resolved my issue.

sudo rm -rfv /opt/Citrix/ICAClient/keystore/cacerts
cd /opt/Citrix/ICAClient/keystore/    
sudo ln -s /etc/ssl/certs cacerts
/opt/Citrix/ICAClient/util/ctx_rehash

Answer 5

I've the same error, but with a certificates trusted by my FireFox. So after copy the root ca certificate and converted these in crt files, the ICA client run without problem. Hope this info will be useful

Answer 6

I had the same issue and solved it this way:

1. Place certificate to be trusted in /usr/local/share/ca-certificates
2. Execute sudo update-ca-certificates
   You should see something line this:
   1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Adding debian:SymantecClass3SecureServerCA-G4.pem
3. Use Google Chrome instead of Firefox