When I try to login to my work I get this message on citrix receiver: You have not chosen to trust 'Buypass class 3 root CA', the issues of the servers security certificate.This issue may be caused by an out-of-date intermediate certificate installed at NetScaler Gateway. This does not mean that the CA certificates currently being used is expired but the CA has since released newer versions of that certificate.Verify the certificate bindings at the NetScaler Gateway to resolve this issue.To confirm this, visit the NetScaler Gateway website using a web browser, and examine the certificate chain in the web browser. You may wish to cross-check this by repeating with more than one web browser (such as with Google Chrome and Mozilla Firefox). Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.22. Citrix ADC 12.1-FIPS before 12.1-55.247 These issues have already been addressed in Citrix managed Cloud services such as Citrix Gateway Service and Citrix Secure Workspace Access.You can export the intermediate certificates from the web browser. If you used more than one web browser, it is possible that they yield different certificate chains. Similar issue with a different solution: Scenario: You have updated your Netscaler gateway URL’s certificate.Hi.
Citrix Receiver You Have Not Chosen To Trust Mac Without IssueI'm running the latest version of macOS Sierra and the latest version of Citrix Receive for Mac.In particular, the certificate that I have apparently chosen not to trust is this one:"/C=US/ST=/L=/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority/CN="However, when I trace the chain of SSL certificates, at the URL where I connect to Citrix, I get the following chain, which contains a similarly named root certificate, but one that doesn't exactly match the error that I've been getting: After connecting to my office's Citrix environment for years via Citrix Receiver for Mac without issue, I have (apparently) randomly begun to get the "SSL 61 Error", where Citrix complains that I have chosen not to trust the issue of the server's security certificate. If there are any mismatches in intermediate certificates, this is a possible cause./HDD/User/Library/Application Support/Citrix Receiver/keystore/cacertsThis didn't work in Safari or Chrome, so I renamed them as *.crt files. /HDD/User/Library/Application Support/Citrix/keystore/cacerts I tried to connect in Chrome (I typically use Safari), it didn't work either.So, I exported both the intermediate and root certificates and placed them (as *.cer files) in the following locations: I already had the root certificate in my keychain, but it was set to default trust values, so I marked it as trusted for all purposes.This didn't work. I then marked it as trusted. VeriSign Class 3 Public Primary Certification Authority - G5 (root certificate)I did not have the intermediate certificate in my keychain, so I grabbed it and added it without issue.![]() Based on your server, fsacitrixweb.ed.gov, I can see that it is in fact returning a certificate chain that includes 4 certificates. This change is covered in the "Joint Server Certificate Validation Policy" documentation here. Can anyone help me through this?CitrixViewer_2017_05_04-06_25_10_7085.txtReceiver for Mac 12.5 introduced stricter TLS certificate chain verification. Of course, I already tried calling my office's IT group, but they very politely told me that there was absolutely nothing that they could do to help me and that I'm on my own.A log file with the error is attached. Citrix works fine for me if I connect through the iOS app or through the Chrome Citrix App (from the same Mac that I'm having difficulty with).I'm at a loss as to what I should do next. Nobody else is having this problem at work with Citrix Receiver for Mac (even with the same base configuration as me). Office home business 2016 for macApple has specifically removed it because it's a weak certificate.What this all boils down to is that the server configuration (I believe it to be a NetScaler device) is incorrect. It's complaining because that root certificate doesn't exist in your Keychain. / Class 3 Public Primary Certification Authority corresponds to the cert that Receiver is complaining about. / Class 3 Public Primary Certification AuthorityVeriSign, Inc. VeriSign Class 3 Public Primary Certification Authority - G5 (This is different than the root certificate in your list) Only the first two from your list are necessary.
0 Comments
Leave a Reply. |
AuthorRachel ArchivesCategories |