My ICG is using a wildcard certificate from GlobalSign. Last week, GlobalSign revoked the intermediate certificate to which our wildcard cert belongs. To my amazement, clients remained connected to the ICG, could still receive profile updates etc and be shadowed. Even after restarting the ICG and UMS servers. I think this is something that needs to be investigated, i think if a cert in the chain is revoked the clients should no longer accept connecting to the ICG.
I had to re-issue the certificate, so i uploaded the new intermediate and new wildcad to the UMS. The root CA is still the same, but i cant seem to update the ICG.
What are my options?
Hi, good point, I don’t think a revoked certifcate will impact here. I will discuss that with our Security team.
Assuming you are speaking about actual ICG / UMS / IgelOS:
Thanks for the link! It looks like the wizard doesn’t support wildcard certificates.
There is a big missunderstanding, the fingerprint all the time is based on the root cert, its never based on intermediate or entity
If you only add a new intermediate or a new end entity that makes no difference for the ICG connection
You can easy check this:
click to the following button in the UMS
Have a look into the certificate and check the fingerprint:
Compare that fingerprint with the fingerprint on your ICG – and surprise – its the same:
@member The problem with the wildcard is, that your whole certificate row need to accept wildcards, not only the last cert
First of all, thanks for the explanation, but I don’t fully understand. If the root certificate is all that matters for a successful client to ICG connection, what purpose is left for the entity (in our case wildcard) certificate?
the end entity is used that the server part of the certificate trust the root ca
so for a Wildcard cert you need a SAN certificate instead of CN certificate for “only” a name
Thanks for the explanation.
Continue reading and comment on the thread ‘How to update the root CA certificate on the ICG? ‘. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.
Submit a question, or Join Today!
Popular Message Threads
- Receiving error: “Citrix Receiver cannot create a secure connection in this browser” when launching a secure connection from Firefox on IGEL OS
- How to Install IGEL OS via a Bootable USB Drive
- How to change the default IGEL UMS admin password?
- Where to delete the certificates that cause ‘invalid certificate’ when trying to import an IGEL into UMS?
- Citrix connection via Netscaler Error: “AM_ERROR_AUTH_NETWORK_ERROR” on IGEL OS
- IGEL UMS Universal Update Error: “could not resolve host name”
- Error connecting to Citrix StoreFront “Error adding store: Http error”