Citrix ICA Client SSL Error 61

The great thing about Citrix is that you can access company resources from almost anywhere. They have several solutions for remote access and thin client computing. They also have an ICA client for Apple OSX (Yeeehaaaaa).

I've been using the OSX ICA Client for a couple of months now to access my mail on the company intranet. Apart from some little quirks (like not functioning well when having two displays), the experience is good. Up till now.

Today, completely out of the blue came this error:

The error message suggests that I have changed something on my Mac, but not that I know. For someone who works with PKI, one would think that they would remember choosing NOT to trust a public VeriSign CA.

Most likely, the original SSL certificate expired, and they installed a new SSL certificate on the Citrix gateway. Problem is that this SSL Certificate is issued by an INTERMEDIATE CA. Since it's issued by an intermediate certificate, the service you're trying to access should provide you with this CA during the initial exchange key while establishing the SSL connection. The basis of PKI is that you should preferably trust ROOT CA's only. Everything in between should be provided during the communications setup.

Certificate Chain Certificate Chain

Anyway, since this is not completely new to me, I found the correct CA in the FireFox keystore (I ran into this on a website a while back), and exported it, imported it in the OSX Keychain and thought that everything would be oké.... Well not!!!!
It seems that the Citrix ICA Client has the CA's build in, so it completely ignores your trusted CA's.

The workaround is to create a folder hierarchy in the Citrix Client folder (Most likely to be /Application/Citrix ICA Client/), and place the binary encoded root certificate (with a .crt extension) in that location (Citrix explanation here). The certificate should be located in the following sub directory of the Citrix ICA Client folder; keystore/cacerts/

The full path to the intermediate CA on my system is:

/Applications/Citrix ICA Client/keystore/cacerts/VeriSignClass3SecureServerCA-G2.crt

After relaunching the client the connection went flawless.

This left me with a couple of questions (mostly SysOp related I guess);

  • Why isn't the Secure gateway (or whatever it's called) not sending the Intermediate CA's during the connection setup?
    My first guess; The intermediate certificate is not imported/installed on the device. Either Citrix has no way of doing this, or the SysOps have no idea what they're doing. Either way, I have no way of checking this.
  • Why is it that no one bothers to get acquainted with basic PKI operations? How can one offer security if you don't know the rules?
    DISCLAIMER: I don't claim to know everything on the subject, but for an intranet access gateway for over 10.000 employees you should know what you're doing.
  • Anyone found an easy way of accessing the VeriSign intermediate CA's certificates? You can only find the root CA's, and not the intermediate CA's. Easiest way I found is to use Internet Explorer and examine the SSL certificate chain and export them that way. Downside is; you need Internet Explorer....
Posted on July 16, 2009 by Willem and filed under Annoying, Software, Tips'n Tricks and tagged citrix error ica ssl.