Jump to content

Citrix SSL 61 Error help

Waylander

By Waylander
in Technology Corner

 Share

Recommended Posts

Waylander Newbie

Waylander

Posted
Posted

Okay bit of a nerd-fest this.

I tried installing the Citrix client on my home pc from the Trust portal to allow broadband access to work from home [for on call etc].

When I typed in the portal addy in IE7 I got the message that there is a problem with Website security [certificate not issued by a trusted authority].

It gives the option to continue anyway, but not to access/trust the certificate.

I get as fas as the last stage but when I try to run the app i get the SSL61 error: you have chosen not to trust this site's certificates.

At the top in the car in IE7 it says in red "certificate error" and I right-click to install thinking that would fix it but no joy.

did a google and it is not uncommon but all fixes seem rather cloak in dagger....

btw the same problem if I install from FF.

Link to comment
Share on other sites
shark_90 Newbie

shark_90

Posted
Posted

Go to the portal, click "Continue to this website (not recommended)" which will take you to the portal. Once in there, open the View menu and click Security Report. It will then bring a box up about it being an untrusted certificate, click view certificate at the bottom of this box. Then click the Install Certificate box in the Certificate window. Follow the prompts and you should be ok 169144-ok.gif

By the way, you're not supposed to be able to get in by using Citrix wink.gif

Link to comment
Share on other sites
shark_90 Newbie

shark_90

Posted
Posted

[ QUOTE ]

Go to the portal, click "Continue to this website (not recommended)" which will take you to the portal. Once in there, open the View menu and click Security Report. It will then bring a box up about it being an untrusted certificate, click view certificate at the bottom of this box. Then click the Install Certificate box in the Certificate window. Follow the prompts and you should be ok 169144-ok.gif

By the way, you're not supposed to be allowed to get in by using Citrix wink.gif

[/ QUOTE ]

Link to comment
Share on other sites
Mac Apprentice

Mac

Posted
Posted

Shark, I'm not so sure that will work. If they're running through an SSL edge box it'll either be CSG (Citrix Secure Gateway) or one of Citrix' Access Gateways. Either will want a fully trusted source certificate.

It's not enough to say you trust the cert as you need *both* parts of the certificate. It all depends on the type of certificate in use and how they've locked down (or not) the CSG/CAG units.

If they've used a private certificate then generally there will be an associated root certificate published by their own Cert Authority - in that case you need to install the associated root certificate for the authority. What's more, you need to install it to the right place.

The default windows install place puts it in the wrong place in the Cert store.

As a side note Waylander, if what Shark has suggest doesn't work, PM me the website address and I'll tell you exactly which certificate you have, who it's trusted source is, and what you need to trust it 169144-ok.gif

Link to comment
Share on other sites
Waylander Newbie

Waylander

Posted
  • Author
Posted

[ QUOTE ]

Go to the portal, click "Continue to this website (not recommended)" which will take you to the portal. Once in there, open the View menu and click Security Report. It will then bring a box up about it being an untrusted certificate, click view certificate at the bottom of this box. Then click the Install Certificate box in the Certificate window. Follow the prompts and you should be ok 169144-ok.gif

By the way, you're not supposed to be able to get in by using Citrix wink.gif

[/ QUOTE ]

Actually I tried that. I get to this stage and can view the certificate but when I try to install via this method it asks me for a location and opens a dialogue box looking at "my documents". I get stumped at this stage!

I did a whole screen capture of everything I did for our IT folk and it is the last stage that loses me

Link to comment
Share on other sites
Mac Apprentice

Mac

Posted
Posted

You sent me the wrong URL tongue.gif

your issue is the cert they're using is a privately issued one - I'll PM you the details.

Essentially you need the associate ROOT certificate from their Certification Authority.

If they don't know what you're talking about tell them to:

https://certificationrootserver/certsrv

... and get them to download and the root certificate.

My guess is they're only used to people coming in on that system when the machine they're coming in from is part of their domain. You'll trust ROOT certificates from the same domain you're a member of, see?

So essentially you need to the ROOT component from the source certificate I'm about to send you 169144-ok.gif

Seeing as you've published the details:

Pic removed as too frickin big.

The SSL certificate in use is published by the organisation 'Sexual Deviants Ltd.'.

On the 'Sexual Deviant' network they'll have a certificate authority - probably Windows by the look of it. You need them to export the ROOT certificate and send it to you. You need to import to it Trusted Root Certificate Store . NOT the default store that it offers you. I need to double check that store name as I'm not on a Windows machine right now.

In the Citrix egde world you're not so much ensuring the validity of the end point you're connecting to you're more using the SSL cert to encrypt the traffic between the client and the edge server - this tends to be why people use self issued certs.

Personally though when you can pick up publically signed certs from people like GoDaddy for 30US$ I can't imagine it's worth the time effort or support effort it goes into using privately signed certificates when there's a possibility that the clients accessing the site are not part of your corporate domain.

Link to comment
Share on other sites
Mac Apprentice

Mac

Posted
Posted

[ QUOTE ]

I was going to say they shouldn't be cheapskates and use a proper certificate,

[/ QUOTE ]

Couldn't agree more - we get this constantly in public sector companies. They save less than 100US$ on the bottom line but ending spending 10 times on support time smashfreakB.gif

Link to comment
Share on other sites
scooby_simon Newbie

scooby_simon

Posted
Posted

[ QUOTE ]

Mac I am going to ask a Mod if he will remove the attachments as I didnt have time when I posted them up to remove the employer identifier. Could you please also edit it out of your post? Thanks 169144-ok.gif

I'll pretend I know what you're talking about in the last bit tongue.gif

[/ QUOTE ]

Hopefully I deleted the right attachements..... UHOH7.GIF

Link to comment
Share on other sites
Mac Apprentice

Mac

Posted
Posted

[ QUOTE ]

Thanks Mac. I think I follow you and have found the store location by clicking on certmgr in system32.

[/ QUOTE ]

You may have but you still don't have the root bit 169144-ok.gif

If they're not sure what you mean get them to drop me an email will explain in more detai 169144-ok.gif

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...