Certificate error when using Citrix Receiver
To prevent the SSL error 61 when accessing remote sessions:
Make Firefox's certificates accessible to Citrix,
sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
Source: Citrix help page
Newer versions of the receiver require you to convert the , place the crt in a specific directory, and run a citrix utility.CRT
file to PEM
If your installation is in /opt/Citrix/ICAClient
and assuming the signing root certificate or CA is an existing one in ca-certificates:
- Get to the certificates directory:
cd /usr/share/ca-certificates/mozilla/
2. Convert the desired CRT
to PEM
:
sudo openssl x509 -outform pem -in [SIGNING_CERTIFICATE_YOU_ID_FROM_COMPANY_WEBSITE.crt] -out [NEW_CERT_PICK_YOUR_NAME.pem]
3. Link it to the Citrix directory and rehash:
sudo ln -s NEW_CERT /opt/Citrix/ICAClient/keystore/cacerts/
cd /opt/Citrix/ICAClient/util
sudo ./ctx_rehash
If the CA is not a known and trusted one present in the /usr/share/ca-certificates/mozilla
directory mentioned above:
Download it using your browser's security info on the site
Convert it toMove it, and rehash: Step 3 above.PEM
Left the crossed out text for anyone needing those instructions for whatever reason but I recently tested just moving the CRT to the directory and the rehash utility will convert as needed.
some users (like me) might find that even after linking Firefox to the cacerts folder the error persists.
That appears to be because Citrix does not supply all of the latest certificates.
The solution appears to be to note the certificate said to be "not trusted" (eg "Verisign Class 3 Public Primary Certification Authority - G5") then export it from Firefox (under the Preferences menu then Certificates) to */ICAClient/keystore/cacerts.
Worked for me. Hope this helps.