Certificate error when using Citrix Receiver

To prevent the SSL error 61 when accessing remote sessions:

Make Firefox's certificates accessible to Citrix,

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

Source: Citrix help page


Newer versions of the receiver require you to convert the CRT file to PEM, place the crt in a specific directory, and run a citrix utility.

If your installation is in /opt/Citrix/ICAClient and assuming the signing root certificate or CA is an existing one in ca-certificates:

  1. Get to the certificates directory:
cd /usr/share/ca-certificates/mozilla/

2. Convert the desired CRT to PEM :

sudo openssl x509 -outform pem -in [SIGNING_CERTIFICATE_YOU_ID_FROM_COMPANY_WEBSITE.crt] -out [NEW_CERT_PICK_YOUR_NAME.pem]

3. Link it to the Citrix directory and rehash:

sudo ln -s NEW_CERT /opt/Citrix/ICAClient/keystore/cacerts/
cd /opt/Citrix/ICAClient/util
sudo ./ctx_rehash

If the CA is not a known and trusted one present in the /usr/share/ca-certificates/mozilla directory mentioned above:

  1. Download it using your browser's security info on the site

  2. Convert it to PEM Move it, and rehash: Step 3 above.

Left the crossed out text for anyone needing those instructions for whatever reason but I recently tested just moving the CRT to the directory and the rehash utility will convert as needed.


some users (like me) might find that even after linking Firefox to the cacerts folder the error persists.

That appears to be because Citrix does not supply all of the latest certificates.

The solution appears to be to note the certificate said to be "not trusted" (eg "Verisign Class 3 Public Primary Certification Authority - G5") then export it from Firefox (under the Preferences menu then Certificates) to */ICAClient/keystore/cacerts.

Worked for me. Hope this helps.