Citrix on Mac: A Fix for SSL Error 61

The IT department where I work changed the certificate for remote access via Citrix this past weekend.  Wheras previously I had no problem accessing the VPN using Citrix via Firefox on a Mac, it suddently stopped working.

I got the following error:

SSL Error 61:  You have not chosen to trust “Network Solutions Certificate Authority,” the issuer of the server’s security certificate.  Error number:  183

This was a puzzling error.  I checked my certificates under Firefox and it seemed to be correct.  The certificate appeared in my Keychain.  I tried adjusting the Trust settings for the certificate on Keychain, but that had no effect.  No one at IT was able to help me because they don’t have much Mac experience.  A Google search showed that this is a fairly common problem that can affect several different certificates (the one listed above is the one I had a problem with).  Unfortunately, none of the answers I found got me all the way to a fix.  I thought I would post my solution here to see if it helps anyone.

1.  Go to Keychain Access and find the certificate that is a problem (for me it was Network Solutions Certificate Authority, but it could be any of a number of certificates).

2.  Export the certificate to the desktop (right click/export) – it will appear as Network Solutions Certificate Authority.cer

3.  Go to the Citrix folder on the Mac and look for a keystore/cacerts folder.

4.   If the folder isn’t there, you will need to create it.  To do this, go to Applications/Citrix ICA Client.  Create the folder keystore (Right click/new folder).  Within that folder, create the folder cacerts.  The path will be Applications/Citrix ICA Client/keystore/cacerts.

5.  Copy the certificate exported from Keychain earlier (Network Solutions Certificate Authority.cer) to the Applications/Citrix ICA Client/keystore/cacerts folder.  Some sources say you need to change the extension to .crt (so in the example, this would be Network Solutions Certificate Authority.crt), but that didn’t work for me. The .cer extension did.

Now you should be able to access the VPN through its usual website on Firefox.

For reference, I am using Citrix for Mac, version 10.00.603, and Firefox, version 3.6 on Mac OS X, version 10.6.2 (Snow Leopard).

Update:

Please see posts from Chris below in the comments from May 21, 2010 and his update on June 2, 2011 for a solution using Terminal.

About these ads

36 Responses to “Citrix on Mac: A Fix for SSL Error 61”

  1. Citrix on Mac: A Fix for SSL Error 61 « Chicago Mac/PC Support Says:

    [...] on Mac: A Fix for SSL Error 61 Good investigative work. Apathetic IT department can’t find solution that non professional finds.  Then this same [...]

  2. Doug Rawson Says:

    This is not working for me. When I export the certificate I get several ‘format’ choices none that are .cer or .crt
    I have tried adding both of these extensions but neither will work.
    When I choose to export the certificate from my FireFox [preferences - Encryption - Certificate Manager] I get three file type options: PEM, DER, and PKCS#7 with or without chain. I have tried both versions of PEM and DER to no avail. They do not export with an extension and as noted above I have added the extension.

    To clarify I have placed the exported files in this directory: Applications/Citrix ICA Client/keystore/cacerts

    FireFox 3.6.3
    Mac OS X 10.5.8
    Citrix ICA 7.10.500

  3. Doug Rawson Says:

    Any help will be greatly appreciated!

  4. medgirl2001 Says:

    I’m not sure why you wouldn’t be able to export the certificate with a .cer extension. Looking through my Keychain, it appears that my certificates all have the option to export as .cer (as well as .pem and .p7b). It seems like it is an issue with the format of the certificate. Have you tried searching to see if you can download an alternate copy of the certificate from somewhere? Depending on the certificate that is an issue for you, you may be able to find it available for download.

  5. Chris Says:

    Medgirl, you rock. One of my clients upgraded their Citrix Gateway without telling me and I was getting the same SSL error 61 when trying to launch a remote application. Your instructions didn’t work exactly for me, so I’d like to give additional instructions for anyone still struggling.

    This applies to:

    Mac OS 10.6.3 Snow Leopard
    Firefox 3.6.3
    Citrix Online Plugin (ICA Client version 11.1.0)

    The “Network Solutions Certificate Authority” was the certificate giving me a problem too, however the version stored in my Keychain was not appropriate for the new version of the ICA client I’m now using, version 11.1.0, AKA the Citrix Web Plugin.

    To fix things, I got the newer version of the needed certificate from a Windows machine, via these steps:

    Windows Specific Instructions:

    1) From a Windows computer, log in to the Citrix Gateway once and launch any application. This will ensure that the certificate gets installed in Windows, if it’s not already present (it wasn’t present for me.)

    2) In Windows, log out of the Citrix gateway.
    3) launch Internet Explorer if not already running.
    4) in IE, go to the Tools menu –> Internet Options –> Content tab
    5) click the Certificates button
    6) click the Intermediate Certification Authorities tab
    7) find the “Network Solutions Certificate Authority” certificate in the list
    8) click the certificate once to highlight, then click Export
    9) click Next
    10) choose DER Encoded Binary X.509 (.CER)
    11) click Next
    12) click Browse, and change to the Desktop if not there already
    13) in the file name field, type or paste: Network Solutions Certificate Authority
    14) click Save, click Next, click Finish.
    15) there should now be a file on the Windows desktop with the name
    Network Solutions Certificate Authority.cer

    16) copy this file to the Mac in whatever way you normally move files.

    Mac Specific Instructions:

    17) on the Mac, copy the file to your desktop.
    18) in Finder, go to Applications –> Utilities
    19) launch Terminal

    In Terminal. type these commands, without the # sign. There will NOT be any output from the commands. Be very careful to type them exactly.

    # sudo su –
    (now enter your Administrator password)
    # cd /Library/Application\ Support/Citrix/
    # mkdir keystore
    # mkdir keystore/cacerts
    # cd keystore/cacerts/
    # mv ~/Desktop/Network\ Solutions\ Certificate\ Authority.cer .
    (Note: the last 2 characters of that command are a SPACE and a PERIOD)

    # exit
    # exit
    20) you can now quit the Terminal application

    Your remote Citrix applications should now launch from Mac Firefox without problem.

  6. medgirl2001 Says:

    Chris – thanks for your comment! Very helpful!

  7. Chris Says:

    My pleasure.

    #8 was translated to the “cool smiley” accidentally, for anyone wondering, and I’m not sure what happened to the spacing in the “mv” command toward the bottom. There should only be a single space in between the words, as well as a single space before the final period.

  8. Ron Says:

    medgirl, I followed your instructions carefully but still unable to get past error 61. I have not been able to access the clinical portal for months because of this (that is, remotely, using OS 10.4, Intel, and either Foxfire or Safari). The certificate is apparently on the Desktop. My question is: your instruction, #3 says to go to the Citrix folder. There is no such folder on my Mac. The Applications folder simply has the Citrix app. I created a folder on the Desktop and copied the certificate to it but that did not work. You probably have the answer to this. Like you, I had the same experience with our IT; they were totally stymied by the Mac and pretty vocal about not supporting the Mac.
    Thanks, Ron

  9. Ron Says:

    Medgirl,
    This is a followup to the post I just sent. I was mistaken about the location of the certificate; it is not on the Desktop. It is a Verisign certificate. The *.cer file has the following path:
    Mac HD/library/Application Support/Citrix/Keystore/Cacerts/

    Is this the right location for it?

    Thanks. Ron

  10. medgirl2001 Says:

    Hi, Ron, for me the certificates can be found under Applications both in Macintosh HD and in Applications under Place in the sidebar. Under Applications, there is a folder called Citrix ICA Client/keystore/cacerts and that’s where I put the certificate.

  11. Richard Dixon Says:

    Tremendous work Medgirl and Chris, solved a really annoying problem which had me baffled. Cheers !

  12. kidneydoc Says:

    Thanks for the update. All my attempts to work around error 61 have failed. Even went to an XP computer and copied the certificate and then copied it to the cacerts folder. Then IT sent a zip file that has all the certificates at the institution where I work. I copied all of them to cacerts. Still did not work. I am still using Tiger and the Citrix version is 7xxxx something. I have tried both Firefox and Safari. Even the genius at the Apple Genius Bar could not help. I have reached a deadend.
    Ron

  13. Matthew Says:

    Thank you thank you thank you!! Just upgraded to wonderful new iMac, older iMac running 10.4.11 working fine, everything seemed to be working fine and-blooey, error above. Third certificate I tried, fromlogin keychain, worked – could not export it (wasn’t an option) but click and drag worked just fine.
    Lifesaver!!

  14. pduche Says:

    Try the following steps —
    Step – 1: login to the MAC
    Step – 2: in the Citrix installation folder: (*most likely /Applications/Citrix ICA Client*)
    Step – 3: Create the following directories: /Applications/Citrix ICA Client/keystore/cacerts/
    Step – 4: Copy the “XXXX_SSL_CA.cer ” to the new cacerts folder.
    Step – 5: Copy that file to /Applications/Citrix ICA Client/keystore/cacerts
    Step – 6: Start the browser,

  15. Jacco's Website Says:

    You have not chosen to trust “Entrust.net Secure Server Certification Authority, the issuer of the server’s ………

    You have not chosen to trust “Entrust.net Secure Server Certification Authority, the issuer of the server’s …. eindelijk opgelost! YES…….

    • johan Says:

      Hallo Jacco, ik zag dat jij de oplossing had voor het ssl error 61 probleem. Zou je mij kunnen helpen? Ik heb in de sleutelhanger een blaauw vinkje staan bij comodo certification en kan het op geen enkele wijze veranderen.

  16. flash jervis Says:

    I was having problems with the geotrust cert. I used Chris’s method above except for steps 17–19 I opened keychain access and imported the .cer file into the system keychain.
    cheers!

  17. Chris Says:

    Good work flash.

    Medgirl, I just re-read the Unix commands above and, to my horror, I see a syntax error. Would you please edit the original post? These commands are more concise and the ~ in the mv command now correctly references the user’s home directory and desktop, instead of root’s.

    These lines replace everything in #19, under the directions to type carefully:

    # sudo mkdir -p /Library/Application\ Support/Citrix/keystore/cacerts
    (enter your Administrator password here)
    # sudo mv ~/Desktop/Network\ Solutions\ Certificate\ Authority.cer .
    (Note: the last 2 characters of that command are a SPACE and a PERIOD)

    # exit

    ____________
    best regards

  18. Patrick Says:

    I got the same SSL 61 error message. I’am using the Citrix Receiver (version 11.4)
    But the solution above is for Citrix Web-Plugin, there is no “Citrix ICA client” I have tried al possible combinations with creating the folders in Finder, but with no possitive result.

    When i go to the site, to connect with the citrix secure gateway, and i check the certificates(path) in Safari they al state “Trusted”.

    Has anyone a solution?

  19. Robert Zahm Says:

    Not sure what ultimately fixed this. I tried the steps above with the cert exports and it worked for a few days, but broke again when the Cirtix client was updated.

    I manually trusted the DigiCert certificates in the KeyChain, and this seemed to resolve it again.

  20. fix and repair computer problems Says:

    fix and repair computer problems…

    [...]Citrix on Mac: A Fix for SSL Error 61 « medgirl2001's blog[...]…

  21. Gfuss Says:

    FYI,
    If you (or have someone) place the intermediate cert on the Citrix Access Gateway (or NetScaler) and link it (chaining) to the primary SSL certificate, you do not need to mess around with adding it to your local KeyChain.

    We linked our DigiCert wildcard to the DigiCertCA.crt and the error was resolved. No need to have the end-users do work that they should not have to.

    Gfuss

  22. Anand Says:

    Brilliant. I almost gave up on this and I followed your steps as a final try: I’ve added my comments to your points:

    I use: Mac 10.6.8, firefox 10.0.2

    1. Go to Keychain Access and find the certificate that is a problem (for me it was Network Solutions Certificate Authority, but it could be any of a number of certificates). My comments: I didn’t find it here. So I exported the certificate by clicked on the blue area (where you type the link to the website that you access) -> more information -> security -> view certificate -> details -> under the ‘certificate hierarchy’, I clicked on Verisign class 3 international server ca – g3 and hit ‘export’

    2. Export the certificate to the desktop (right click/export) – My comments: didn’t change anything to the file name or extn. Just saved it as it was.

    3. Go to the Citrix folder on the Mac and look for a keystore/cacerts folder.

    4. If the folder isn’t there, you will need to create it. To do this, go to Applications/Citrix ICA Client. Create the folder keystore (Right click/new folder). Within that folder, create the folder cacerts. The path will be Applications/Citrix ICA Client/keystore/cacerts.

    5. Copy the certificate exported from Keychain earlier (Network Solutions Certificate Authority.cer) to the Applications/Citrix ICA Client/keystore/cacerts folder. Some sources say you need to change the extension to .crt (so in the example, this would be Network Solutions Certificate Authority.crt), but that didn’t work for me. The .cer extension did. My comments: I didn’t change the extn. Just copied and saved the file that I exported.

    IT WORKED.. woohoo..

  23. Andrew Says:

    Having trouble locating this: Applications/Citrix ICA Client. I do find the plug ICA however.

  24. Ben Says:

    Thank you so much…had this error all weekend and couldnt figure out what to do til I read this!

  25. Syd Says:

    THANK YOU! I’ve been working on this for days and not a single website could help me. Forever grateful.

  26. stanley ellames Says:

    You are a legend, thankyou from Australia, our IT suggested an OS upgrade, got to love them thou !!

  27. K V Dev Says:

    I am getting this error on Windows as well when I try to launch any of the citrix applications. Any clue?

  28. Aida Says:

    we had the same problem , and it was a problem with the certeficate in the ASA the cert was signed with sha256 algorithm seems to be causing problems.we requested another cert with sha1 and it worked fine.

    • Jim Stiles Says:

      Can you provide more explanatory details please? We seem to have the same problem but am not knowledgeable on the technicalities. What does ASA mean, and how does one request another cert with sha1?

  29. Brian Almeida Says:

    Upgrade to Citrix Receiver 11.7 or later, which supports SHA-2:

    http://support.citrix.com/proddocs/topic/rec-mac-11-7/rec-mac-about.html

  30. Rachael Says:

    This fixed it!!! Thank you!!

  31. Alissa Says:

    Thank you so much for creating this blog. We just wasted an hour on the phone with national IT and they couldn’t figure out the problem! I still don’t understand how this worked but THANK YOU!!

  32. concort Says:

    Ok there is NO Ctrix folder on the MAC? Where in the world do I put this new folder if there is no Citrix folder?? Help!

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: