Citrix Receiver: You have not chosen to trust “COMODO High-Assurance Secure Server CA”, the issuer of the server’s certificate

Citrix ReceiverRecently I started using a MacBook to replace my Windows laptop. Since I work as a technical consultant with Citrix products I frequently connect to a Citrix XenApp / XenDesktop environment, amongst other to our lab.

While the installation was straightforward (just go to receiver.citrix.com and click on Download Reveiver for Mac) I quickly faced a dialog telling me I haven’t chosen to trust the CA certificate with no option to solve this…

You have not chosen to trust , the issuer of the server's certificate

What I find interesting is that both Safari / Chrome didn’t complain about the trust. This most likely has to do with the way the certificates are chained. Where the browsers “see” the entire chain (AddTrust External CA Root >> COMODO High-Assurance Secure Server CA >> <server certificate>) the Citrix Receiver only sees the server certificates and expects the signing certificate in the keychain.

The solution is as easy as it sounds, just add the signing certificate to the Keychain.

 

Export the certificate

First we need to get our hands on the certificate of the signing party (in this case the COMODO certificate). One way of retrieving the root / intermediate certificate is by downloading it from the signing part, COMODO provides a download portal containing all their root / intermediate certificates (link).

Comodo - Support Center - Downloads - Root & Intermediat(s)

But not all certificates are easy to find or not available at all (for instance when the CA is hosted by your company or a third party). Fortunately you can easily export it via Safari. It just not that obvious when you’re a stubborn-Windows-user like me.

  • In Safari browse to a website signed with the same certificate (most likely Citrix Storefront)
  • Click on the https lock icon to open the certificate
    Safari - Address bar
  • Click on Show Certificate
    Safari is using an encrypted connection to
  • Select the signing certificate (COMODO High-Assurance…) , click on the certifcate icon (!) and drag it to a Finder (the OSX equivalent of Windows Explorer) and drop it in a folder
    COMODO High-Assurance Secure Server CA
  • That’s it, you just exported the certificate to a .cer file
    Finder

 

 

Import the certificate

Now you’ve got the certificate file you can import it in the Keychain. Just like exporting, once you know how it’s done it’s easier then brushing your teeth.

 

Option 1 – In five steps
  • Open Keychain Access Tip: Press ⌘ + space to open Spotlight
  • Click on the lock icon (top left) to unlock Keychain Access, select the keychain Login and category Certificates
    Keychain Access - Default
  • Select File >> Import items (or ⇧ + ⌘ + I)
    Keychain Acces - File - Import Items
  • Select the certificate file you exported in the previous step and select the Keychain login
    Import Item
  • That’s it!
    Keychain Access - COMODO High-Assurance Secure Server CA

 

Option 2 – In one step

Even easier is it to double click on the certificate file. This will open the Add Certificates dialog where you can select the Keychain (login), all you then have to do is click on Add.
Add Certificates

 

 

 

.

14 Comments

  1. Kan het zijn dat de linking op de Netscaler Gateway dit niet goed heeft staan? ik werk zelf ook met de macbook of met m’n windows machine en dit probleem heb ik daar wel eerder gezien.

    1. Hi Henry,

      Ja dat is goed mogelijk. Echter, de Windows client heeft hier problemen mee. Omdat je als gebruiker niet in de gelegenheid bent om dit aan te passen op de NetScaler is het wel zo fijn dit is op te lossen met een workaround 😉

      Ingmar

  2. Thanks so much for this! I just got my citrix up and running.
    However, various processes on my Mac keep asking to use the keychain (like Mail, Calendar, etc…). Is there a way to disable those apps from asking permission to use this?

  3. Thank you. Finally I can log into Citrix Receiver on my Mac. This resolved the certificate error.

  4. I am still getting the error message, even though I have tried all steps several times over. I am running a Safari 8.0.3 (no luck in Chrome vers. 40.0.2214.115(64-bit) either) on a OSX 10.10.2 2012-Macbook. The Citrix Reciever is vers. 11.6.0

    I hope that you can help me 🙂

  5. I have importet the certificate, and approved it, but when I start my citrix client it keeps telling me I have choosen not to trust it. When i look in my keychain it is approved. I have rebootet my Mac, still the same problem. I use Mac OS 10.10.2 and citrix client 11.9.

  6. I have exactly the same issue of Peter Jacobsen.
    I’ve trusted the certificate into the Keychain but the error is still there…

  7. Same goes for me. Certificate is approved in keychain but citrix keeps repeating the error message. Who provides the solution?

  8. Ook ik kreeg de melding: You have not chosen to trust “COMODO High-Assurance Secure Server CA”, the issuer of the server’s certificate. Na bovenstaande uitgevoerd te hebben, blijf ik deze melding krijgen. Is er nog een andere optie om dit op te lossen?

  9. Ik heb het als volgt opgelost.

    Twee dingen waren nodig:

    1. Update van Citrix Receiver naar versie 1.8.2 (is niet de standaard download versie)
    http://www.citrix.com/downloads/xenapp/receivers/receiver-for-mac-1182.html?_ga=1.100163095.827685940.1447637312

    2. Het Comodo RSA certificaat is niet het laagste niveau, AddTrust moest ook nog worden toegevoegd en geaccepteerd. Dat is via de browser niet te zien, maar wel via externe analyse.
    Daar kwam ik achter via: https://www.ssllabs.com/ssltest/

    Het certificaat met het laagste nummer in de lijst is het Root certificaat. Dit was niet te zien via Safari, maar wel via SSL labs. Nadat ik die had toegevoegd lukte het om in te loggen.

  10. Ingmar,

    Thanks very much. This helped after upgrading Citrix receiver to be compatible with Mac OS Sierra.
    Especially the link to the Commode site to grab the newest certificates.

    Great thanks!

    Florian

  11. Pingback: gate system

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

en_USEnglish