I’m working with a new customer and while I was waiting for a certificate, I created a CA in windows and created my own certificates to do some preliminary testing. I added my CA cert, is both DER and BASE64, to my thin clients in UMS and keep getting the AM_ERROR_HTTP_SERVER_CERTIFICATE_NOT_TRUSTED when attempting to connect to my desktop via Citrix StoreFront. My CA certs are located in /wfs/ca-certs/. Is there anything else I could be missing?
Are they uploaded as certificates, to files? If not, can you delete the certs from UMS, reupload and choose common certificate?
If that doesn‘t work, can you jump into a terminal and check your certificates with openssl:
Through a new profile: Accessories=>Terminal => Blue Star => Save Profile and assign it to your endpoint. Locally open the terminal and login as root:
To show different information for a certificate
openssl x509 -in /wfs/ca-certs/tc_ca.crt -noout -text
openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -issuer
openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -subject
openssl x509 -in /wfs/ca-certs/tc_cat.crt -noout -issuer -subject
To verify root certificate against site
openssl s_client -connect storefront.test.ca:443 storefront.test.ca:443 -CApath /etc/ssl/certs
Test all certs together for chain.
openssl verify -verbose -purpose sslserver -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
Test all certs together for chain if no intermediate Ca is present:
openssl verify -verbose -purpose sslserver -CAfile RootCert.pem -untrusted UserCert.pem
I just uploaded the cert to ‘files’, then applied the file to the container with the thin clients.
I uploaded them to UMS as certs but Undefined. I also targeted the directory /wfs/ca-certs/certname.cer. I typically do it how Barry stated in his reply.
Can you please retry as common certificate like described before?
Ok I added them as Common Certificate and i’m still getting the same error. I will try the other steps you suggested
Thanks! Ok, keep my fingers crossed.
So I ran the command to verify the ca root vs the site and it get an error 9, verify error:num=9:certificate is not yet valid
notBefore=Sep 12 12:21:00 2019 GMT
So is this my problem? GMT time is 652pm right now. So it should be valid.
How about local NTP Time server and actual time? Is everything set and working properly?
Same time on CA and endpoint?
that’s my problem, this vlan these igels are in aren’t able to pull NTP from the internet.
And local NTP available? From the DC maybe? Changing Timezone maybe?
let me try that.
That was it, Sebastian, as always, thank you so much!
You are welcome! Happy to help!!
Continue reading and comment on the thread ‘Receive error “AM_ERROR_HTTP_SERVER_CERTIFICATE_NOT_TRUSTED” when attempting to connect to my desktop via Citrix StoreFront via IGEL OS’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!