Problem
You have successfully published a Citrix Receiver rule on the NetScaler and confirmed that a Windows PC can access Citrix published applications with a Citrix Receiver but you notice that Androids and Apple devices are presented with the following warning while logging on:
Invalid Server Certificate
This server certificate is not trusted.
Do you wish to accept this certificate and connect to the server anyway?
Contact your help desk if you are unsure.
… and although they can continue the login process by tapping the Accept button, they are presented with the following error when attempting to launch applications:
Cannot validate SSL certificate
Cannot verify this server’s certificate.
Solution
The reason why devices such as Androids and iPads present this error is because it cannot verify the presented certificate’s certificate chain. Devices other than traditional Windows PCs do not have the trusted certificate chains installed by default and while it is possible to try and install the certificate onto the devices themselves, that solution is not practical in any environment with more than a few devices to manage. The way to address this issue is to actually install the trusted chain of Root and Intermediate issuing CA certificates onto the NetScaler then link it to the certificate that used by the NetScaler to secure traffic.
Begin by using a browser and navigate to the Citrix portal and open the certificate properties:
Note that the Issued by field indicates this certificate was issued by the certificate authority QuoVadis Global SSL ICA G2 in the screenshot above. Proceed and navigate to the Certification Path to display the full certificate issuing chain:
As shown in the Certification path above, the certificate chain is comprised of the QuoVadis Root CA 2 Root CA that issues the QuoVadis Global SSL ICA G2 Intermediate CA that issues the server certificate that the NetScaler is using to secure traffic to the server. The two certificates we need to download are the QuoVadis Root CA 2 Root CA that issues the QuoVadis Global SSL ICA G2 intermediate CA.
Performing a quick search on Google returns the following URL that includes the links to download either the the DER or PEM of the certificates:
https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/InstallingSSL.aspx
Proceed to download the PEM for both the Root and Intermediate certificates by copying the text for each certificate and saving them as .cer files:
Upload the two certificates to the NetScaler:
Continue and import the certificates:
Fill in the following:
Certificate-Key Pair Name*: <a logical name that makes sense such as QuoVadis-Global-SSL-ICA-G2>
Certificate File Name*: Select the .cer file that was uploaded
Key File Name: Leave Blank
Select PEM format
Password: Leave Blank
The rest should be left as default.
Click on the Install button and you should now see the intermediate certificate installed:
Repeat the same procedure for the Root CA:
With the 2 certificate installed, the final stage is to link the chain together by right clicking on the server certificate and select Link:
If the correct intermediate issuing CA certificate was uploaded, the NetScaler should automatically detect it and have it set in the drop down menu:
With the server certificate linked, proceed and link the intermediate certificate to the root:
With the certificate chain linked, your tablet device such as iPads or Androids should no longer present the certificate warning and will be able to launch published applications:
One Response
Terence….. thank you for a nicely worded and formatted simple explanation to this issue.