Recently I started using a MacBook to replace my Windows laptop. Since I work as a technical consultant with Citrix products I frequently connect to a Citrix XenApp / XenDesktop environment, amongst other to our lab.
While the installation was straightforward (just go to receiver.citrix.com and click on Download Reveiver for Mac) I quickly faced a dialog telling me I haven’t chosen to trust the CA certificate with no option to solve this…
What I find interesting is that both Safari / Chrome didn’t complain about the trust. This most likely has to do with the way the certificates are chained. Where the browsers “see” the entire chain (AddTrust External CA Root >> COMODO High-Assurance Secure Server CA >> <server certificate>) the Citrix Receiver only sees the server certificates and expects the signing certificate in the keychain.
The solution is as easy as it sounds, just add the signing certificate to the Keychain.
Export the certificate
First we need to get our hands on the certificate of the signing party (in this case the COMODO certificate). One way of retrieving the root / intermediate certificate is by downloading it from the signing part, COMODO provides a download portal containing all their root / intermediate certificates (link).
But not all certificates are easy to find or not available at all (for instance when the CA is hosted by your company or a third party). Fortunately you can easily export it via Safari. It just not that obvious when you’re a stubborn-Windows-user like me.
- In Safari browse to a website signed with the same certificate (most likely Citrix Storefront)
- Click on the https lock icon to open the certificate
- Click on Show Certificate
- Select the signing certificate (COMODO High-Assurance…) , click on the certifcate icon (!) and drag it to a Finder (the OSX equivalent of Windows Explorer) and drop it in a folder
- That’s it, you just exported the certificate to a .cer file
Import the certificate
Now you’ve got the certificate file you can import it in the Keychain. Just like exporting, once you know how it’s done it’s easier then brushing your teeth.
Option 1 – In five steps
- Open Keychain Access Tip: Press ⌘ + space to open Spotlight
- Click on the lock icon (top left) to unlock Keychain Access, select the keychain Login and category Certificates
- Select File >> Import items (or ⇧ + ⌘ + I)
- Select the certificate file you exported in the previous step and select the Keychain login
- That’s it!
Option 2 – In one step