Technology

You have not chosen to trust “GeoTrust SSL CA”, the issuer of the server’s security certificate

4 May , 2015  

Over the course of the last 10 years I have regularly been taking jobs in the business process management arena. One of my oldest customers still hires me from time to time for maintenance on one of their Windows based systems. As a Mac user I connect to their data-center through their Citrix based remote desktop proxy. Unfortunately the Citrix Receiver for Mac throwed the following error message at me when connecting: “You have not chosen to trust ‘GeoTrust SSL CA’, the issuer of the server’s security certificate” and then bailed out on the connection all-together. The problem persisted with another Citrix installation at a different customer who uses Verisign certificates.

In the past as a work-around I have always launched a VirtualBox Win7 VM in order to connect, so basically it was a nightmare of virtualisation layers! So today I figured I finally wanted to fix the problem. Unfortunately the web and also excellent books on the topic provided only the same solutions I had already found ages ago on my last tries:

Citrix on Mac: A Fix for SSL Error 61

Citrix GeoTrust error on Macintosh

Citrix ICA Client: SSL Error 61: You have not chosen to trust “VeriSign blah blah”, the issuer to the server’s security certificate

None of the above worked for me so I was thinking to finally come up with a fool-prove solution to the problem which also worked in my case.

I started off by figuring out why the connection seemed to work on Windows machines and only failed on my Mac. It turns out that the Mac was not able to fetch an intermediate SSL certificate from the certificate chain which was certainly possible on Windows. In my case it was “GeoTrust SSL CA” if I opened Keychain Access on the Mac and searched for the certificate and it turned out it was not installed. There were alle the root certificates from GeoTrust but the specific one was not available. So I looked up the SSL store in the Internet options on my Windows virtual machine and it turns out that in the “Intermediate Certificates” section the “GeoTrust SSL CA” was installed.

I tried to export the “GeoTrust SSL CA” on Windows and imported it to the system keychain on my Mac and voiala! suddenly Citrix Receiver on the Mac was able to connect without any problems. Here are the steps you need to follow in order to make it working:

(1) Log in to a Windows installation and use Internet Explorer to browse to the Citrix connection URL. This will force your Windows system to evaluate the SSL certificate chain used by the site and install any missing intermediate certificates into the Windows certificate store.screenshot-windows-cert

(2) Open Internet Options from Internet Explorer or through System Preferences on your Windows machine and got to the “Contents” tab and click “Certificates”, select the “Intermediate Certificates” tab in the following dialog window. Look for the intermediate certificate Citrix Receiver is complaining about (in my case it was “GeoTrust SSL CA”). Highlight and export the certificate (just use the default settings in the export wizard). Sorry the screenshot is in German however you will get the idea.

(3) Copy the certificate file to your Mac and double-click it. Keychain Access will open to install the certificate (also here stick with the defaults) enter your password if your Mac asks you for access to the system keychain.

After that access to your Citrix system should work. Unfortunately you will need to repeat this process for every failing certificate chain.

If you are interested in a more general book on Citrix infrastructures I can recommend: Mastering Citrix XenDesktop by Govardhan Gunnala and Daniele Tosatto.


2 Responses

  1. Justin says:

    Great solution, worked on 1st attempt. Thought I had every certificate possible from repository but must of been missing that elusive intermediate which the Windows machine had. Thanks !

    • matthias says:

      Great to hear that! However, Citrix is the real culprit here. Actually we Mac users should not have to take these lengthy stretches just to get something simple like a remote desktop working. I still hope they fix it soon.

Comments are closed.