Trying to use Citrix Receiver, and on both Centos VM and my Ubuntu host I get an error message saying I have chosen not to trust Verisign bladebla. Now, Firefox has these certificates it seems, from looking at its settings, but it appears Citrix is set to use the native client so the OS certificates are the ones it needs – and I don’t have those.

So just copy the certificates from somewhere? Can I download something from Verisign to install? If so, what?

Verisign should already be trusted unless someone has put them on a certificate revocation list in your organisation?

Sounds like the server doesn’t have the intermediate certs installed though?

Molgrips, e-mail me. I think my address is in my profile.

The centos VM is installed from the standard installer downloaded from the internet. I’m at home, and the network connection is set to bridged, so it goes nowhere near my organisation. The one I am trying to connect to seems to be certified by verisign but for some reason my OS isn’t set to trust it.

Look for a “root certificate update” for your browser du jour.

Oh, and, make sure the date is correct on your machines.

The browser has the certificates. The Citrix receiver seems to be a native app (it chooses the native client for me in the settings) so it’s runnig as a native process, which presumably means the OS needs to trust the CA rather than the browser. The two cert stores are different in Linux.

Dunno about Linux, but it’s the root cert that tells your browser to trust the CA. If the CA isn’t trusted (and it’s a well-established public CA like Verisign) then the root cert is out of date / missing (or your system date is wrong).

How you’d fix that in Linux / CentOS I couldn’t even begin to imagine. I’d have thought they’d be included in the standard repositories, have you apt-got lately?

The Citrix receiver seems to be a native app

Finding that out would be your first step – it could quite easily be a java app (for example) in which case you’d need to use keytool to install the certs.

What have you got (if anything) in /usr/local/share/ca-certificates/ ?

Dunno about Linux, but it’s the root cert that tells your browser to trust the CA.

From what I gather, in Windows the browser and OS store are the same thing, whereas they aren’t in Linux.

I have nothing in /usr/local/share/ca-certificates, but (on my Ubuntu laptop rather than the VM) I have a shedload of .pem files in /etc/ssl/certs from what look like certificate authorities, including Verisign, and including VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
which is the one it claims not to be able to trust.

In the client web browser, click on the padlock or whatever the browser uses to display that its a secure site. Click on the Certificate Information and then inspect the Certificate Path. Compare to a working machine. This will help identify if its a Root CA missing or an intermediate cert. On a windows client you can export from working an import into the non working client by using Certmgr.msc
No idea on non Windows.

This is under the assumption that your webinterface/storefront is using client receiver and not java as pointed out by mogrim.

Ok, sorted.

Turns out that the browser has is own certificate store, and Linux has its own certificate store; but the Citrix client ALSO has its own. D’oh.

The solution is to create a symbolic link from the browser to the citrix directories.

On the windows many apps plug into the Windows cert store but some like Java and Firefox use their own. I expect Google apps like Chrome will start to go their own way too following the recent spat with Symantec over Symantec’s improper generation and use of certificates for Google domains – keep adding those symbolic links. PKI’s a right laff.