Tuesday, April 14, 2015

Android and Apple devices is presented with an “Invalid Server Certificate” warning and are unable to launch applications published through a NetScaler VPX

Problem

You have successfully published a Citrix Receiver rule on the NetScaler and confirmed that a Windows PC can access Citrix published applications with a Citrix Receiver but you notice that Androids and Apple devices are presented with the following warning while logging on:

Invalid Server Certificate

This server certificate is not trusted.

Do you wish to accept this certificate and connect to the server anyway?

Contact your help desk if you are unsure.

image

… and although they can continue the login process by tapping the Accept button, they are presented with the following error when attempting to launch applications:

Cannot validate SSL certificate

Cannot verify this server’s certificate.

image

Solution

The reason why devices such as Androids and iPads present this error is because it cannot verify the presented certificate’s certificate chain.  Devices other than traditional Windows PCs do not have the trusted certificate chains installed by default and while it is possible to try and install the certificate onto the devices themselves, that solution is not practical in any environment with more than a few devices to manage.  The way to address this issue is to actually install the trusted chain of Root and Intermediate issuing CA certificates onto the NetScaler then link it to the certificate that used by the NetScaler to secure traffic.

Begin by using a browser and navigate to the Citrix portal and open the certificate properties:

image

Note that the Issued by field indicates this certificate was issued by the certificate authority QuoVadis Global SSL ICA G2 in the screenshot above.  Proceed and navigate to the Certification Path to display the full certificate issuing chain:

image

As shown in the Certification path above, the certificate chain is comprised of the QuoVadis Root CA 2 Root CA that issues the QuoVadis Global SSL ICA G2 Intermediate CA that issues the server certificate that the NetScaler is using to secure traffic to the server.  The two certificates we need to download are the QuoVadis Root CA 2 Root CA that issues the QuoVadis Global SSL ICA G2 intermediate CA.

Performing a quick search on Google returns the following URL that includes the links to download either the the DER or PEM of the certificates:

https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL/InstallingSSL.aspx

image

Proceed to download the PEM for both the Root and Intermediate certificates by copying the text for each certificate and saving them as .cer files:

image

imageimage

image

Upload the two certificates to the NetScaler:

image

image

Continue and import the certificates:

image

Fill in the following:

Certificate-Key Pair Name*: <a logical name that makes sense such as QuoVadis-Global-SSL-ICA-G2>

Certificate File Name*: Select the .cer file that was uploaded

Key File Name: Leave Blank

Select PEM format

Password: Leave Blank

The rest should be left as default.

image

Click on the Install button and you should now see the intermediate certificate installed:

image

Repeat the same procedure for the Root CA:

image

With the 2 certificate installed, the final stage is to link the chain together by right clicking on the server certificate and select Link:

image

If the correct intermediate issuing CA certificate was uploaded, the NetScaler should automatically detect it and have it set in the drop down menu:

image

With the server certificate linked, proceed and link the intermediate certificate to the root:

image

image

With the certificate chain linked, your tablet device such as iPads or Androids should no longer present the certificate warning and will be able to launch published applications:

imageimageimage

1 comment:

Anonymous said...

Terence..... thank you for a nicely worded and formatted simple explanation to this issue.