How to solve Citrix Workspace SSL error (You have not chosen to trust...) caused by missing Root CA certificates

Written by Claudio Kuenzler - 0 comments

Published on December 19th 2022 - last updated on December 20th 2022 - Listed in Linux SSL TLS Security Virtualization

---

When configuring Citrix Workspace (formerly known as Citrix Receiver) on a Linux machine (maybe on other OS as well), there could be SSL errors when the client is connecting to the Citrix Gateway - depending on what kind of certificate/certificate chain was deployed on the domain.

CA Certificates are handled differently in Citrix

Although (most) Linux distributions have a dedicated package (ca-certificates) reserved for the most common (Root) CA certificates, Citrix does not make use of these certificates, located under /etc/ssl/certs. Instead of using this common path, Citrix sets up its own directory for trusted certificates under /opt/Citrix/ICAClient/keystore/cacerts/.

By default, this directory only contains a couple of certificates, by far not enough to cover most of the issuer certificates.

In general I recommend to make use of the ca-certificates installed by Mozilla Firefox, which represents an updated CA certificate database of 99% of known and approved certificate issuers. This can be done by creating a symlink of all Mozilla installed ca-certificates into /opt/Citrix/ICAClient/keystore/cacerts/:

ck@mint:~$ sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

This will allow Citrix to handle much more CA certificates than before.

Verifying the certificate chain

If the SSL error still shows up when trying to connect with Citrix Workspace client, you need to do some deeper digging. First verify the certificate and certificate chain on the domain pointing to your remote Citrix Gateway (server).

To list the full certificate chain sent by the server, you can use the following openssl command:

ck@mint:~$ openssl s_client -connect citrix.example.com:443 -showcerts 2>&1 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 CN = citrix.example.com
verify return:1
---
[...]

At the begin of the output, we can already see the certificate chain, where each certificate in the chain is represented as a different "depth". The top of the chain, here "depth 2", is the CA certificate "USERTrust RSA Certification Authority". This is the top (Root CA) which issued the intermediate certificate (ICA) from Gandi "Gandi Standard SSL CA 2". The Gandi ICA finally is the issuer of the server certificate "citrix.example.com".

Note: To find out more about SSL/TLS certificate chains and how to monitor them, check out this related blog article.

The rest of the output also shows each certificate, sent by the server.

Manually saving the Root CA

From the openssl output above, copy the last (Root CA) certificate (starting with -----BEGIN CERTIFICATE----- down till and including -----END CERTIFICATE-----) and save it. In this case the Root CA certificate is named "USERTrust RSA Certification Authority", I am saving this accordingly under /opt/Citrix/ICAClient/keystore/cacerts:

ck@mint:~$ ls -la /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.pem
-rw-r--r-- 1 root root 2094 Nov 14 14:51 /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.pem

Right after saving this Root CA inside the Ctrix cacerts directory, Citrix Workspace was able to connect to the Citrix Gateway.

Watch out: Citrix needs .pem suffix!

The "USERTrust RSA Certification Authority" is a very widely used Root CA. I was actually quite surprised why this wouldn't be part of the Mozilla Firefox installed ca-certificates. As they were all symlinked into the Citrix cacerts directory, this should have worked out of the box - without manual saving/creation of this Root CA.

A closer look at the symlinked certificates matching the name "USERTrust" reveals that this Root CA certificate is indeed already installed!

ck@mint:~$ ls -la /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_*
lrwxrwxrwx 1 root root   76 Nov  3  2021 /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_ECC_Certification_Authority.crt -> /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
lrwxrwxrwx 1 root root   76 Nov  3  2021 /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.crt -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
-rw-r--r-- 1 root root 2094 Nov 14 14:51 /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.pem

We can see two USERTrust certificates (ECC and RSA) symlinked to the Mozilla (Firefox) certificates. And we can also see the manually created USERTrust_RSA_Certification_Authority.pem.

Is there a difference between the already existing USERTrust_RSA_Certification_Authority.crt and manually created USERTrust_RSA_Certification_Authority.pem? Let's check the SSL Modulus of these certificates:

ck@mint:~$ openssl x509 -noout -modulus -in /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.pem
Modulus=80126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1D[...]

ck@mint:~$ openssl x509 -noout -modulus -in /opt/Citrix/ICAClient/keystore/cacerts/USERTrust_RSA_Certification_Authority.crt
Modulus=80126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1D[...]

It's the exact same certificate - with one exception: The one manually created has a .pem suffix, the one installed through a package has a .crt suffix.

It seems that Citrix Workspace only loads certificates with a .pem extension. Stupid but important thing to note!

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.