In this post I explain how I tried to troubleshoot this issue, if you need the solution, go at the end of this post.
My company (Activlan) had to renew our certificate installed on our Citrix Secure Gateway 3.1.3. As you might know, Citrix has issued some virtual appliance and I had to chose between, Citrix Access Gateway 4.6.2 VPX and Netscaller VPX Express (Free !). My choice was to integrate a Citrix Access Gateway (CAG) mainly because we are using other product to manage VPN to all our customers and I wanted to install what I needed, nothing less, nothing more.
So here we go, I got my xva file from MyCitrix account and I just deploy it on our XenServer, very easy, very simple, just some clicks. Once installed and basics configuration set, I had to generate the CSR (Certificate Signing Request) and wait for Verisign to send me the certificate I had to use with the CAG. This was a big adventure and of course I should have read the manual before, and configuration isn’t so easy but I guess when you do it all day long you begin to know everything and I can say now, I know how to troubleshoot a CAG from the client side to the Web Interface.
This error I got with my Mac didn’t show up on my Windows computers. In fact Apple doesn’t have a very big list of root certificate install on their OS compare to Windows. Here is the error message I got when I wanted to launch published application (XenApp). I was able to login in the CAG and the Web Interface as well, but not able to launch application.
SSL Error 61: You have not chosen to trust “Verisign Class 3 Secure Server CA – G2”, the issuer of the server’s security certificate.
Error number: 183
Sexy message, isn’t it ?
After searching around a bit I found this thread on Citrix’s forums : everything went clear, I didn’t had the root certificate on my computer to validate my brand new certificate from Verisign… So I tried to find how to get these root certificates, especially Verisign Class 3 Secure Server CA – G2, the one I needed. I found this Verisign address where you just have to fill a form to get a zip with everything what you might need :
Stephane-THIRIONs-MacBook:VeriSign Root Certificates stephane$ ls ./*
./Roots ReadMe.txt ./SHA1 Thumbprints.txt ./Serial Numbers.txt
./Generation 1 (G1) PCAs:
Class 1 Public Primary Certification Authority.cer Class 2 Public Primary Certification Authority.cer Class 3 Public Primary Certification Authority.cer
Class 1 Public Primary Certification Authority.pem Class 2 Public Primary Certification Authority.pem Class 3 Public Primary Certification Authority.pem
Class 1 Public Primary Certification Authority.txt Class 2 Public Primary Certification Authority.txt Class 3 Public Primary Certification Authority.txt
./Generation 2 (G2) PCAs:
Class 1 Public Primary Certification Authority - G2.cer Class 2 Public Primary Certification Authority - G2.pem Class 3 Public Primary Certification Authority - G2.txt
Class 1 Public Primary Certification Authority - G2.pem Class 2 Public Primary Certification Authority - G2.txt Class 4 Public Primary Certification Authority - G2.cer
Class 1 Public Primary Certification Authority - G2.txt Class 3 Public Primary Certification Authority - G2.cer Class 4 Public Primary Certification Authority - G2.pem
Class 2 Public Primary Certification Authority - G2.cer Class 3 Public Primary Certification Authority - G2.pem Class 4 Public Primary Certification Authority - G2.txt
./Generation 3 (G3) PCAs:
VeriSign Class 1 Public Primary Certification Authority - G3.cer VeriSign Class 3 Public Primary Certification Authority - G3.cer
VeriSign Class 1 Public Primary Certification Authority - G3.pem VeriSign Class 3 Public Primary Certification Authority - G3.pem
VeriSign Class 1 Public Primary Certification Authority - G3.txt VeriSign Class 3 Public Primary Certification Authority - G3.txt
VeriSign Class 2 Public Primary Certification Authority - G3.cer VeriSign Class 4 Public Primary Certification Authority - G3.cer
VeriSign Class 2 Public Primary Certification Authority - G3.pem VeriSign Class 4 Public Primary Certification Authority - G3.pem
VeriSign Class 2 Public Primary Certification Authority - G3.txt VeriSign Class 4 Public Primary Certification Authority - G3.txt
./Generation 4 (G4) PCA:
VeriSign Class 3 Public Primary Certification Authority - G4.cer VeriSign Class 3 Public Primary Certification Authority - G4.txt
VeriSign Class 3 Public Primary Certification Authority - G4.pem
./Generation 5 (G5) PCA:
VeriSign Class 3 Public Primary Certification Authority - G5.cer VeriSign Class 3 Public Primary Certification Authority - G5.txt
VeriSign Class 3 Public Primary Certification Authority - G5.pem
./VeriSign Universal Root CA:
VeriSign Universal Root Certification Authority.cer VeriSign Universal Root Certification Authority.pem VeriSign Universal Root Certification Authority.txt
Stephane-THIRIONs-MacBook:VeriSign Root Certificates stephane$
As you can see, the root certificate I’m looking for is here. I just find the good file and click on it, after validate this action with my password the certificate was install in the system Keychain Access in my Mac. You can go to check if the certificate is correctly installed, open Keychain Access in your Mac utilities folder (cmd+shift+U) :
Here it is. I though I was good to go and able to launch my applications, but no, not yet… I still got the same error message… My next step was to import our new certificate on my Mac as well following the same step as above. Importing the certificate didn’t work also, but importing the certificate with the intermediate certificate did the trick. A bit more explanation about Intermediate Certificate here.
Question : Did our new certificate with the intermediate certificate without the root certificate update is enough to make it work ? The answer is YES
Conclusion: If you have this issue, don’t follow the error message on your screen, your computer might have everything needed about root certificate,. The only thing missing is your new certificate with the intermediate certificate. I don’t know why we need to import this certificate yet but I will find out. Certificate are not really my cup of tea with PKI, private key, public key etc… I need to dive again in this subject for a while to understand.
Update : Re issuing the certificate and importing it onto my Citrix Access Gateway with the intermediate certificate