In this post I explain how I tried to troubleshoot this issue, if you need the solution, go at the end of this post.

My company (Activlan) had to renew our certificate installed on our Citrix Secure Gateway 3.1.3. As you might know, Citrix has issued some virtual appliance and I had to chose between, Citrix Access Gateway 4.6.2 VPX and Netscaller VPX Express (Free !). My choice was to integrate a Citrix Access Gateway (CAG) mainly because we are using other product to manage VPN to all our customers and I wanted to install what I needed, nothing less, nothing more.

So here we go, I got my xva file from MyCitrix account and I just deploy it on our XenServer, very easy, very simple, just some clicks. Once installed and basics configuration set, I had to generate the CSR (Certificate Signing Request) and wait for Verisign to send me the certificate I had to use with the CAG. This was a big adventure and of course I should have read the manual before, and configuration isn’t so easy but I guess when you do it all day long you begin to know everything and I can say now, I know how to troubleshoot a CAG from the client side to the Web Interface. (more…)

23 1.85 K

  • My Mac OS version is 10.6.2 and apparently this solution doesn’t work on older Mac OS versions…

  • I found a very usefull link to test Verisign SSL certificate installation :

  • Toddler : This is for Citrix Secure Gateway (CSG) my problem is with Citrix Access Gateway (CAG)
    I think I have the solution, I must way to test it and post it.

  • Doug Liddell

    Stephane… Thank you for the Verisign Cert tester.

    This saved me hours of greif, actually hours more greif because i spent about 6 hours troubleshooting this problem and it turned out to be a darn cert issue.


  • Re issuing the certificate and importing it onto my Citrix Access Gateway with the intermediate certificate resolve this problem once and for all

  • Here is how you can address the issue.

    On the NETSCALER or CAG generate a Certificate request and copy it to you PC or MAC.

    Goto the Verisign site and request your certificate by coping in the text and selecting the platform to be either Appache or Old Standard SSL.

    When the certificate arrives, there is a link to download the certificate from Verisign. Click the download link and then copy the code for x509… not PKCS 7. There is also a link on the same site to copy the code for the intermediate CA. On that site it will have two codes one for certificates generated after May 2009 and one for before. If you selected Old Standard SSL, then chose the intermediate one before May 2009.

    You import the certificates and then link them in the configuration.

    You don’t need to install the root or intermediate CA on the client.

  • Jwahar Bammi

    I am not being able to interpret
    “Importing the certificate didn’t work also, but importing the certificate with the intermediate certificate did the trick. A bit more explanation about Intermediate Certificate here.”

    Went to the verisign site, downloaded, importerd all the .cer’s in there, i still get the SSL error 61. Please could you spell out for dummies like me how exactly do you import intermediate certificates (where are they in the set of files that were packed by verisign into

    thanks in advance

  • al

    mate that was it. the intermediate cert

    I imported verisign class 3 extended validation ssl sgc ca to my keystore


  • Aaron

    You need to download the appropriate intermediate certificate and open it with Keychain.

  • Yep Aaron, you got it right


  • Joe Cool


  • Thx Joe !

  • Karl


    but where can I download this “intermediate certificate?


  • Hi Karl,

    it depends of your certicate provider


  • Karl

    thanks. Then I have to ask our it guy in my company where from I will get this.


  • Citrix Online Plug-in for Mac, SSL Error 61: You have not chosen to trust…:

  • GC

    I’ve just experienced this error. The root certs in Keychain seem fine. I treid a few intermediate certs from VeriSign’s website, none fixed the issue. I then exported the intermediate cert from my Win7 pc and installed it on the mac, and that worked.

  • Nathanael

    im new to all of this.. Ive downloaded the Class 3 G2 certificates but where do you get the intermediate certificates from…??

  • Leonardus78

    I’ve downloaded the certificates from the following site. After downloading I’ve put the two intermediate certificates under applications/citrix/keystore/cacerts/

    Secondly, right-click and open .crt files with Keychain Access.

    Then restart Citrix. This worked for me.

  • Leonardus78
  • Thank you for the tip Leonardus78 !