Symptoms
The following error message appears:
“The server certificate received is not trusted (SSL Error 61).”
This error message suggests that the client device does not have the required root certificate to establish trust with the certificate authority who issued the Secure Gateway server certificate. However, you determine the required root certificate is present and downgrading to an earlier version of the ICA Client resolves the issue.
Cause
SSL Error 61 can occur when the server certificate is not compliant with the instructions in RFC 3280 regarding the Enhanced Key Usage field. According to section 4.2.1.13 of the RFC (Extended Key Usage), if the Extended Key Usage field exists in a certificate, the certificate must be used only for one or more purposes enumerated as values in that field. The relevant portion of RFC 3280 states:
“If the extension is present, the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated, the application need not recognize all purposes indicated, as long as the intended purpose is present.”
Citrix Secure Gateway acts as an SSL server, so Server Authentication (1.3.6.1.5.5.7.3.1) must be listed among the designated key uses if any are present. If the Extended Key Usage field is not present in the certificate, the certificate may be considered valid.
Some certificate authorities erroneously issue certificates that contain only the following key usage extensions that indicate support for server-gated cryptography (SGC):
Unknown Key Usage (2.16.840.1.113730.4.1)
Unknown Key Usage (1.3.6.1.4.1.311.10.3.3)
These extensions are intended as a signal to Netscape and Internet Explorer Web browsers that they should negotiate 128-bit encryption regardless of the normal capabilities of the client. They have no effect on the ICA Client. When these two values are the only items listed in the Enhanced Key Usage field, the certificate is in violation of RFC 3280 and should be rejected by SSL clients seeking server authentication.
Note: Not all SGC-compliant certificates are missing the Server Authentication value and not all invalid certificates are SGC compliant.
The failure on the part of earlier ICA Clients to reject a certificate of this nature is a security vulnerability that was corrected in Version 7.0 or newer of the ICA Client.
Resolution
If you are an End User and have a System Administrator or Help Desk, you should refer this problem to them directly.
Download or obtain the SSL root certificate .crt/.cer file issued by your SSL certificate provider. Double-click on it, and choose "Install Certificate"’
This process pairs your client machines with the server machine, and is necessary if you do not use a certificate verified by a commercial SSL certificate provider. Most commercial providers arrange to have their certificates pre-installed on machines through an agreement with the operating system creator. (Microsoft, Apple, etc.)
The system administrator may also need to contact the certificate authority who sold the faulty certificate and inform them that your certificate is in violation of RFC 3280. Ask them to issue a new certificate that contains the following key usage value in addition to any other required values:
Server Authentication (1.3.6.1.5.5.7.3.1)
After you receive an updated certificate with the correct usage fields listed, replace the certificate on your Secure Gateway server using the MMC Certificates snap-in.
More Information
Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust – http://support.microsoft.com/kb/297681/en-us
This document applies to:
- Secure Gateway 1.x
- Secure Gateway 3.0
- Secure Gateway 3.1
- Secure Gateway 3.2
- Secure Gateway 3.3
- Secure Gateway for MetaFrame 2.0
- XenApp Plug-in for Windows (32/64 Bit)
Source: CTX101990 – The server certificate received is not trusted (SSL Error 61) – Citrix Knowledge Center
