Help with root certficate from my PKI?


Hello everybody, could someone help me about the topic root certficate from my pki ?

Learn more, read the entire thread inside the IGEL Community o Slack

Hi Giuseppe, sure, but I‘m on the road actually. Would you be so kind to describe your issue or request?


I have add my root certificate from my pki on the ThinClients.

How it is written in this manuel:

boschert-consulting.com/igel-thinclient-citrix-storefront-installation-root-zertifikat/

And via a terminal session I see the certificate on the thin client. But when my thinclient start I have configured via my profile (session->appliance mode) that it open the citrix storefront. My issue is that I obtain the firefox that says me that the certificate of citrix storefront (ssl certificate also from my pki) are not valid.


Please forget this document (it was helpful but doesn‘t reflect the actual way). Delete your Certificate under files. Then, check the certificate: open the certificate with notepad and if you see Begin Certificate at the beginning and End Certificate at the end, it should work. If not export your Certificate as BASE64 type. Re-Upload the Certificate through files and choose: common purpose, and reassign it. Let us know it it worked


Same issue 😞


Then, remove the appliance mode and use a browser session instead that points to your Storefront. Then check with the SSL Symbol left of your navigation tab for missing SSL Chain through the certificate details. What happens when you start a Firefox Session on your workstation? Same issue? Manually imported certificates available?


Same issue it seams like that he could not found the root ca certificate.


Then: are you sure that it is the right one?

Through a new profile: Accessories=>Terminal => Blue Star => Save Profile and assign it to your endpoint. Locally open the terminal and login as root:

To show different information for a certificate

openssl x509 -in /wfs/ca-certs/tc_ca.crt -noout -text

openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -issuer

openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -subject

openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -issuer -subject

To verify root certificate against site

openssl s_client -connect storefront.test.ca:443 storefront.test.ca:443 -CApath /etc/ssl/certs

Test all certs together for chain.

openssl verify -verbose -purpose sslserver -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

Test all certs together for chain if no intermediate Ca is present:

openssl verify -verbose -purpose sslserver -CAfile RootCert.pem -untrusted UserCert.pem


I have exact same problem after upgrading from 5.10 to either 5.12 or 5.13. The /wfs/ca-certs folder is removed, or not re-created by the profile after upgrade, so the certificates are not installed on the IGEL. This does not happen to all our IGELs, only say 25%. Manually creating that folder, and SCP’ing the certs on does not fix it. We found the workaround to be – upgrade to latestdesired FW, perform remote factory reset, re-add to UMS, re-apply profiles. It is causing us big problems when upgrading 500 devices to have so many (25%) with this problem. We have engaged support and are actively working with them right now. We use Xendesktop appliance mode with Storefront as you do.


Ok, I didn‘t knew this issue at all, would you mind to send me the ITRS Ticket number as PM?


Early stages of the support call but will PM you the ticket now. Thanks.


Got it, will have a look into it asap. Thanks!!

Continue reading and comment on the thread ‘Help with root certficate from my PKI?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base



Ask a question or comment on the above message thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!


Popular Message Threads


Categories & Tags: