Citrix Receiver: You have not chosen to trust “COMODO High-Assurance Secure Server CA”, the issuer of the server’s certificate

Written by Ingmar Verheij on January 24th, 2014. Posted in Citrix

Citrix ReceiverRecently I started using a MacBook to replace my Windows laptop. Since I work as a technical consultant with Citrix products I frequently connect to a Citrix XenApp / XenDesktop environment, amongst other to our lab.

While the installation was straightforward (just go to receiver.citrix.com and click on Download Reveiver for Mac) I quickly faced a dialog telling me I haven’t chosen to trust the CA certificate with no option to solve this…

You have not chosen to trust , the issuer of the server's certificate

What I find interesting is that both Safari / Chrome didn’t complain about the trust. This most likely has to do with the way the certificates are chained. Where the browsers “see” the entire chain (AddTrust External CA Root >> COMODO High-Assurance Secure Server CA >> <server certificate>) the Citrix Receiver only sees the server certificates and expects the signing certificate in the keychain.

The solution is as easy as it sounds, just add the signing certificate to the Keychain.

 

Export the certificate

First we need to get our hands on the certificate of the signing party (in this case the COMODO certificate). One way of retrieving the root / intermediate certificate is by downloading it from the signing part, COMODO provides a download portal containing all their root / intermediate certificates (link).

Comodo - Support Center - Downloads - Root & Intermediat(s)

But not all certificates are easy to find or not available at all (for instance when the CA is hosted by your company or a third party). Fortunately you can easily export it via Safari. It just not that obvious when you’re a stubborn-Windows-user like me.

  • In Safari browse to a website signed with the same certificate (most likely Citrix Storefront)
  • Click on the https lock icon to open the certificate
    Safari - Address bar
  • Click on Show Certificate
    Safari is using an encrypted connection to
  • Select the signing certificate (COMODO High-Assurance…) , click on the certifcate icon (!) and drag it to a Finder (the OSX equivalent of Windows Explorer) and drop it in a folder
    COMODO High-Assurance Secure Server CA
  • That’s it, you just exported the certificate to a .cer file
    Finder

 

 

Import the certificate

Now you’ve got the certificate file you can import it in the Keychain. Just like exporting, once you know how it’s done it’s easier then brushing your teeth.

 

Option 1 – In five steps
  • Open Keychain Access Tip: Press ⌘ + space to open Spotlight
  • Click on the lock icon (top left) to unlock Keychain Access, select the keychain Login and category Certificates
    Keychain Access - Default
  • Select File >> Import items (or ⇧ + ⌘ + I)
    Keychain Acces - File - Import Items
  • Select the certificate file you exported in the previous step and select the Keychain login
    Import Item
  • That’s it!
    Keychain Access - COMODO High-Assurance Secure Server CA

 

Option 2 – In one step

Even easier is it to double click on the certificate file. This will open the Add Certificates dialog where you can select the Keychain (login), all you then have to do is click on Add.
Add Certificates

 

 

 

.

Ingmar Verheij

At the time Ingmar wrote this article he worked for PepperByte as a Senior Consultant (up to May 2014). His work consisted of designing, migrating and troubleshooting Microsoft and Citrix infrastructures. He was working with technologies like Microsoft RDS, user environment management and (performance) monitoring. Ingmar is User Group leader of the Dutch Citrix User Group (DuCUG). RES Software named Ingmar RES Software Valued Professional in 2014.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle Plus

Tags: , , , , ,

Trackback from your site.

Comments (13)

  • Henry
    12 February 2014 at 12:08 |

    Kan het zijn dat de linking op de Netscaler Gateway dit niet goed heeft staan? ik werk zelf ook met de macbook of met m’n windows machine en dit probleem heb ik daar wel eerder gezien.

    • Ingmar Verheij
      17 February 2014 at 13:43 |

      Hi Henry,

      Ja dat is goed mogelijk. Echter, de Windows client heeft hier problemen mee. Omdat je als gebruiker niet in de gelegenheid bent om dit aan te passen op de NetScaler is het wel zo fijn dit is op te lossen met een workaround 😉

      Ingmar

  • Marko
    15 May 2014 at 15:10 |

    Dank voor deze uitleg – ik kwam er een stuk verder mee!

  • Aniwonder
    6 July 2014 at 19:00 |

    Thanks so much for this! I just got my citrix up and running.
    However, various processes on my Mac keep asking to use the keychain (like Mail, Calendar, etc…). Is there a way to disable those apps from asking permission to use this?

  • Jonathan Hege
    5 October 2014 at 18:44 |

    Thank you. Finally I can log into Citrix Receiver on my Mac. This resolved the certificate error.

  • Thomas Glasius
    26 February 2015 at 11:08 |

    I am still getting the error message, even though I have tried all steps several times over. I am running a Safari 8.0.3 (no luck in Chrome vers. 40.0.2214.115(64-bit) either) on a OSX 10.10.2 2012-Macbook. The Citrix Reciever is vers. 11.6.0

    I hope that you can help me 🙂

  • Peter Jacobsen
    28 March 2015 at 11:21 |

    I have importet the certificate, and approved it, but when I start my citrix client it keeps telling me I have choosen not to trust it. When i look in my keychain it is approved. I have rebootet my Mac, still the same problem. I use Mac OS 10.10.2 and citrix client 11.9.

  • Paolo Milani
    30 March 2015 at 16:53 |

    I have exactly the same issue of Peter Jacobsen.
    I’ve trusted the certificate into the Keychain but the error is still there…

  • Joep van de Ven
    27 May 2015 at 10:50 |

    Same goes for me. Certificate is approved in keychain but citrix keeps repeating the error message. Who provides the solution?

  • Mariska
    24 June 2015 at 19:44 |

    Ook ik kreeg de melding: You have not chosen to trust “COMODO High-Assurance Secure Server CA”, the issuer of the server’s certificate. Na bovenstaande uitgevoerd te hebben, blijf ik deze melding krijgen. Is er nog een andere optie om dit op te lossen?

  • Sander Meilink
    16 November 2015 at 03:22 |

    Ik heb het als volgt opgelost.

    Twee dingen waren nodig:

    1. Update van Citrix Receiver naar versie 1.8.2 (is niet de standaard download versie)
    http://www.citrix.com/downloads/xenapp/receivers/receiver-for-mac-1182.html?_ga=1.100163095.827685940.1447637312

    2. Het Comodo RSA certificaat is niet het laagste niveau, AddTrust moest ook nog worden toegevoegd en geaccepteerd. Dat is via de browser niet te zien, maar wel via externe analyse.
    Daar kwam ik achter via: https://www.ssllabs.com/ssltest/

    Het certificaat met het laagste nummer in de lijst is het Root certificaat. Dit was niet te zien via Safari, maar wel via SSL labs. Nadat ik die had toegevoegd lukte het om in te loggen.

  • Florian
    7 October 2016 at 18:07 |

    Ingmar,

    Thanks very much. This helped after upgrading Citrix receiver to be compatible with Mac OS Sierra.
    Especially the link to the Commode site to grab the newest certificates.

    Great thanks!

    Florian

  • inetryconydot
    31 March 2017 at 07:14 |

    BUY CHEAP TADACIP ONLINE WITHOUT PRESCRIPTION NEEDED!

    * TOP PHARMACY LIST!
    * MEDICATION WITHOUT A PRESCRIPTION!
    * SPECIAL DISCOUNT MEDICATION!
    * WE GUARANTEE THAT ONCE YOU HAVE PURCHASED A PRODUCT FROM US YOU WILL GET THAT PRODUCT

    WE THANK YOU FOR VISITING APPROVED ONLINE PHARMACY © 2013.

    [b]Tags:[/b][b]Over Counter Tadacip, Buy Tadacip Without Prescription, On Line Tadacip, Buy Tadacip, Over The Counter Tadacip, Can I Buy Tadacip Online[/b]

Leave a comment

*

Donate

%d bloggers like this: