Hello everybody, could someone help me about the topic root certficate from my pki ?
Hi Giuseppe, sure, but I‘m on the road actually. Would you be so kind to describe your issue or request?
I have add my root certificate from my pki on the ThinClients.
How it is written in this manuel:
And via a terminal session I see the certificate on the thin client. But when my thinclient start I have configured via my profile (session->appliance mode) that it open the citrix storefront. My issue is that I obtain the firefox that says me that the certificate of citrix storefront (ssl certificate also from my pki) are not valid.
Please forget this document (it was helpful but doesn‘t reflect the actual way). Delete your Certificate under files. Then, check the certificate: open the certificate with notepad and if you see Begin Certificate at the beginning and End Certificate at the end, it should work. If not export your Certificate as BASE64 type. Re-Upload the Certificate through files and choose: common purpose, and reassign it. Let us know it it worked
Same issue 😞
Then, remove the appliance mode and use a browser session instead that points to your Storefront. Then check with the SSL Symbol left of your navigation tab for missing SSL Chain through the certificate details. What happens when you start a Firefox Session on your workstation? Same issue? Manually imported certificates available?
Same issue it seams like that he could not found the root ca certificate.
Then: are you sure that it is the right one?
Through a new profile: Accessories=>Terminal => Blue Star => Save Profile and assign it to your endpoint. Locally open the terminal and login as root:
To show different information for a certificate
openssl x509 -in /wfs/ca-certs/tc_ca.crt -noout -text
openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -issuer
openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -subject
openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -issuer -subject
To verify root certificate against site
openssl s_client -connect storefront.test.ca:443 storefront.test.ca:443 -CApath /etc/ssl/certs
Test all certs together for chain.
openssl verify -verbose -purpose sslserver -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
Test all certs together for chain if no intermediate Ca is present:
openssl verify -verbose -purpose sslserver -CAfile RootCert.pem -untrusted UserCert.pem
I have exact same problem after upgrading from 5.10 to either 5.12 or 5.13. The /wfs/ca-certs folder is removed, or not re-created by the profile after upgrade, so the certificates are not installed on the IGEL. This does not happen to all our IGELs, only say 25%. Manually creating that folder, and SCP’ing the certs on does not fix it. We found the workaround to be – upgrade to latestdesired FW, perform remote factory reset, re-add to UMS, re-apply profiles. It is causing us big problems when upgrading 500 devices to have so many (25%) with this problem. We have engaged support and are actively working with them right now. We use Xendesktop appliance mode with Storefront as you do.
Ok, I didn‘t knew this issue at all, would you mind to send me the ITRS Ticket number as PM?
Early stages of the support call but will PM you the ticket now. Thanks.
Got it, will have a look into it asap. Thanks!!
Ask a question or comment on the above message thread?Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.
Submit a question, or Join Today!
Popular Message Threads
- How to Install IGEL OS via a Bootable USB Drive
- Error “AM_ERROR_AUTH_NETWORK_ERROR ” adding store in Citrix Workspace App version 20.x on IGEL OS 11.04
- How to change the default IGEL UMS admin password?
- Receiving error: “Citrix Receiver cannot create a secure connection in this browser” when launching a secure connection from Firefox on IGEL OS
- Where to delete the certificates that cause ‘invalid certificate’ when trying to import an IGEL into UMS?
- IGEL UMS Universal Update Error: “could not resolve host name”
- Error connecting to Citrix StoreFront “Error adding store: Http error”