Error: "The server certificate received is not trusted (SSL Error 61)" for Receiver Users

The following error messages?? are displayed for Receiver users accessing StoreFront or Web Interface applications:

• "Cannot connect to the Citrix XenApp Server. SSL Error 61: You have not chosen to trust "Certificate Authority", the issuer to the server's security certificate."

• "The server certificate received is not trusted (SSL Error 61)"

• "Your app is not available. Try again later."

  

  

Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.

For the Administrator or Help Desk Support

This error message suggests that the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the NetScaler Gateway server certificate.

Complete the following steps to resolve this issue:

1. Download or obtain the SSL root certificate/intermediate certificate (.crt/.cer) file issued by your SSL certificate provider.
   Root certificate/intermediate certificate can be downloaded from your SSL certificate provider's website or can be obtained on request. Usually root certificate is present in the certificate bundle provided by your SSL service provider along with intermediate and server certificates.

2. Install the root certificate/intermediate certificate on the client machine.

3. If an antivirus is installed on the client machine then ensure that the antivirus trusts the certificate.

This process pairs your client machines with the server machine, and is necessary if you do not use a certificate verified by a commercial SSL certificate provider. Most commercial certificate providers arrange to have their certificates pre-installed on machines through an agreement with the operating system creator (Microsoft, Apple, and so on).

The system administrator might also need to contact the certificate authority who sold the faulty certificate and inform them that?? the certificate is in violation of RFC 3280. Also ask the certificate authority to issue a new certificate that contains the following key usage value in addition to any other required values:
Server Authentication (1.3.6.1.5.5.7.3.1)

After you receive an updated certificate with the correct usage fields listed, replace the certificate on your NetScaler Gateway server using the MMC Certificates snap-in.
The following is an example of installing a private root certificate.

SSL Error 61 can occur when the server certificate is not compliant with the instructions in RFC 3280 regarding the Enhanced Key Usage field. According to section 4.2.1.13 of the RFC (Extended Key Usage), if the Extended Key Usage field exists in a certificate, the certificate must be used only for one or more purposes enumerated as values in that field. The relevant portion of RFC 3280 states:

"If the extension is present, the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated, the application need not recognize all purposes indicated, as long as the intended purpose is present."

NetScaler Gateway acts as an SSL server, so Server Authentication (1.3.6.1.5.5.7.3.1) must be listed among the designated key uses if any are present. If the Extended Key Usage field is not present in the certificate, the certificate might be considered valid.

Some certificate authorities erroneously issue certificates that contain only the following key usage extensions that indicate support for Server-Gated Cryptography (SGC):

• Unknown Key Usage (2.16.840.1.113730.4.1)

• Unknown Key Usage (1.3.6.1.4.1.311.10.3.3)

These extensions are intended as a signal to Netscape and Internet Explorer web browsers that they should negotiate 128-bit encryption regardless of the normal capabilities of the client. They have no effect on the ICA client. When these two values are the only items listed in the Enhanced Key Usage field, the certificate is in violation of RFC 3280 and should be rejected by SSL clients seeking server authentication.

Note: Not all SGC compliant certificates are missing the Server Authentication value and not all invalid certificates are SGC compliant.

• Microsoft TechNet - Configure Trusted Roots and Disallowed Certificates

• Microsoft TechNet - Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust

• Installing the Root & Intermediate Certificates

• CTX128539 - How to Link an Intermediate Certificate to the Server Certificate in NetScaler/NetScaler Gateway

• Citrix Discussions - SSL Error 61

• Citrix Discussions - Citrix ICA Client: SSL Error 61: You have not chosen to trust "VeriSign", the issuer to the server's security certificate

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.