Today I was asked to perform some Linux server maintenance for an important client. They use Citrix Access Gateway™ (CAG) for remote access to their systems. The plan was to login to the Citrix Access Gateway web interface from Firefox, click the PuTTY icon, let CAG server execute the PuTTY SSH client and display its interface on my Linux desktop via a locally installed ICA client. Once it’s up enter the remote Linux server’s IP and do my job. Unfortunately when I clicked the PuTTY icon things went wrong instantly:
You have not chosen to trust ‘Thawte Server CA’, the issuer of the server’s security certificate.
Aha, now what? Apparently Citrix ICAclient comes with its own set of trusted Certification Authorities. Both Firefox and my system-wide CA list are set to trust Thawte but ICAclient didn’t. After a bit of research I have found the ICAclient’s trusted certificates are stored in ~/ICAClient/linuxx86/keystore/cacerts/ directory:
~/ICAClient/linuxx86/keystore/cacerts $ ls -l -r--r--r-- 1 mludvig users 891 2009-06-07 12:00 BTCTRoot.crt -r--r--r-- 1 mludvig users 774 2009-06-07 12:00 Class3PCA_G2_v2.crt -r--r--r-- 1 mludvig users 774 2009-06-07 12:00 Class4PCA_G2_v2.crt -r--r--r-- 1 mludvig users 606 2009-06-07 12:00 GTECTGlobalRoot.crt -r--r--r-- 1 mludvig users 576 2009-06-07 12:00 Pcs3ss_v4.crt -r--r--r-- 1 mludvig users 568 2009-06-07 12:00 SecureServer.crt
That’s a good start. Now find out in what format these certs are — two most common formats are DER (binary format) and PEM (ASCII encoded). Quick check reveals that these files are binary, therefore most likely in DER format. Verify the assumption with openssl:
.../cacerts $ openssl x509 -inform der -text -noout -in BTCTRoot.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
[...]
Very good — openssl was told to open it as DER and gave us a reasonable output, so it’s DER! Now we need to get the Thawte Server CA certificate from somewhere, convert it to DER format and save into this directory. It is almost certain that the Citrix Access Gateway web interface uses the very same SSL certificate that the ICA client complains about. So … grab it from there!
Right click somewhere on the page and select View Page Info — a Page info dialog should pop up. Select the last tab — Security — and then View Certificate
Page info — View Certificate
Certificate Viewer will pop up. Select the second tab — Details. There, in the Certificate Hierarchy tree select to top-most item, Thawte Server CA in our case. Click the Export button at the bottom and save the certificate for example as ~/ThawteServerCA.pem.
Export “Thawte Server CA” certificate
Now the last step on our quest — convert the certificate from PEM format to DER with the help of openssl and verify that it worked out. Note that we’re still in the ICAclient’s keystore/cacerts directory:
.../cacerts $ openssl x509 -inform pem -outform der -in ~/ThawteServerCA.pem -out ThawteServerCA.crt
.../cacerts $ openssl x509 -inform der -in ThawteServerCA.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
OU=Certification Services Division,
CN=Thawte Server CA
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
OU=Certification Services Division,
CN=Thawte Server CA
[...]
All right, we’re set to go. Click on the PuTTY icon again and see how far we get.
PuTTY is now starting
Voilà, things look good. A while later PuTTY is up, running on the remote Citrix Access Gateway server, ready to open a SSH connection to the Linux box in the company’s internal network.
Comments
great post! I would never gotten so far without it. Grabbing the certificate from the browser is a nifty idea. I still can’t run my citrix apps yet though, same error message.
I’m wondering how the ICA client should know that it needs to look in the new .crt file? Do I have to give the file a certain name?
Hi Jamie,
I don’t think it needs a special filename, just name it somewhat similar to the CA name.
Did you try to restart the browser after adding the cert?
Isn’t there a system-wide ICAclient installation? Perhaps it loads the keys from somewhere else than from your home directory? Try ‘find / -name *.crt’ and see what comes up. Perhaps you’ll find another ICAclient’s cacerts’ directory worth trying.
Hope some of it helps :-)
Michal
No luck yet. my ICAclient is installed in /usr/lib, and the find didn’t reveal any other certificate directories. Have tried restarting the browser (even the whole machine)
One strange thing about my system is the ugliness of the error message:
You have chosen not to trust “/C=US/ST=/L=/O=Equifax/OU=Equifax Secure Certificate Authority/CN=”, the issuer..
I’ve tried naming my certificate EquifaxSecureCA.crt, Equifax_Secure_CA.crt, no luck.
Any other ideas?
What if you reinstall ICAclient to your home directory, similar to what I have? Then it’s clear where the certificate should go to. Get “the right” version of ICAclient from the CAG — there should be a download link once you’re logged in.
I got it!! :D
Though I think your method of extracting the certificate using firefox and openssl is ingenious, it wouldn’t work for me.
After googling around some more for Linux ICA client help I noticed that many of the articles talk about going to Verisign and downloading the root certificates, or going to Globalsign and downloading the root certificates. So I figured, what the heck, and I searched for Equifax root certificates:
http://www.geotrust.com/resources/root-certificates/
I downloaded the DER encoded X.509 certificate, Equifax_Secure_Certificate_Authority_DER.cer, renamed it from .cer to .crt, and kaplow! it worked!
I still can’t believe it’s true, and I still can’t stop smiling :) Thanks again for your help!
-Jamie
I wonder how the root cert pulled from Firefox could be any different from the one downloaded from Equifax? Are you sure you converted from PEM to DER before saving it to ICAclient’s keystore? Anyway, good that you sorted it out ;-)
Yes, I did all the conversion and checking, as you outlined so well in the original article.
Despite the fact that converting the certificate didn’t work, I wouldn’t have gotten very far without your article — i had never heard of pem or der or x.509, and wouldn’t have known which certificate to download!
I can say that the certificate from Firefox was the certificate for our CAG server, with our server’s name in it — so i dont think it was an Equifax root certificate. I’m ashamed to say that I still know too little about all this certificate stuff — worse than that I’m one of the IT guys who maintains our CAG servers! Anyway, I’ve learned something today, and am happy with that :)
Thanks! Your comment helped me a lot because I was getting the same “/C-…” error.
One more thing I was doing wrong was that I was putting the certificates in /usr/lib/ICAClient/keystore/cacerts/ folder instead of the ICAClient/linuxx86/keystore/cacerts/ folder. Once I put it under my own folder, it worked!
Thanks to both of you
Thx. a lot for this nice tutorial.
Excellent tutorial. I was trying to use Tengraph (http://www.dmp.wa.gov.au/3980.aspx), a tenement and GIS type interface, on my machine running Ubuntu. The IT Service Desk for Tengraph expressly state they do not give support for certificate/security issues for mac users, and well there is no mention of linux users.. First attempt came up with a similar client error seen above.A quick search located this topic. I simply followed the steps substituting my file names. The linux client i downloaded was v11. obviously need to change permissions (right-click) to install (./setupwfc) http://www.citrix.com/English/SS/downloads/details.asp?downloadID=3323&productID=-1#top.
Worked straight up.
Thanks again!
I’m glad I kept my old emails about this topic…. I know it’s an old thread, but I just stumbled upon the same problem again, but under rather unexpected circumstances.
I’ve just set up a Windows 7 Professional N x64 (the one that’s shipped without media player, which I’ve improved further by removing IE) with Firefox system at home, and tonight I needed to get the citrix web client working on it. Wouldn’t you know it, I got the same silly error message as when I was experimenting with ubuntu: You have chosen not to trust….
To solve the problem, I followed a similar procedure to my previous post: I downloaded the certificate from GeoTrust to my desktop, which showed up as a pretty certificate icon. I right-clicked on it and followed the automatic options to install the certificate and, yes kaplow, it worked again :)
Maybe a bit off topic, but I wanted to post this here in case anyone else has this problem with Windows 7 x64, as googling didn’t help me at all.
cheers, Jamie