Jump to content


SSL Error 61: You have not chosen to trust the issuer of the server's...

Started by Brad Quade , 18 February 2006 - 04:58 PM
144 replies to this topic

Best Answer Darren Long , 12 December 2011 - 10:07 AM

For Windows machines have a look at:


Contrary to the article download and install the update for Windows XP, Vista and 7:


Brad Quade Members

Brad Quade
  • 3 posts

Posted 18 February 2006 - 04:58 PM

Hello, i'm receiving the following error message when trying to connect to our Citrix server that is running Access Essentials.

"Cannot connect to the Citrix Metaframe server. SSL Error 61: You have not chosen to trust the issuer of the server's security certificate."

This is using the web client so after putting in the https:// web address in IE, I get the main page and am able to login and see my published applications. However when I click any of the apps I get that error.

Stephen Staniszewski Members

Stephen Staniszewski
  • 4 posts

Posted 19 February 2006 - 02:56 AM

Brad, I had the same issue. First, what Root CA are you using? If the root cert is not installed in IE you will receive this error.

I used Microsoft Certificate Server. I used the Certsrv function in Win2003 and downloaded and installed the Cert in IE. Seach the MS support site for installing a cert in IE. This solved my problem.

Please reply if your situation is different.



Brad Quade Members

Brad Quade
  • 3 posts

Posted 19 February 2006 - 07:29 AM

During the Citrix install a .txt file is generated for the certificate. When I tried to import this with Microsoft Certificate Services it was giving me another error saying it didn't contain any template information? So I used the web interface on the Cert. Services server on our network http://servername/certsrv and was able to manually generate the certificate.

Are the users going to have to import this certificate on every client machine they use? I know on our Exchange 2003 webmail server they dont have this issue. They just accept the certificate when accessing the page and everything works fine.

Stephen Staniszewski Members

Stephen Staniszewski
  • 4 posts

Posted 20 February 2006 - 02:02 AM

Brad, I had to install the cert on each machine. I wrote up instructions (Screen shots) and sent them to the users. They were able to install the cert without my assistance.

Let me know if you would like a copy of my instructions.

Good luck,


Brad Quade Members

Brad Quade
  • 3 posts

Posted 21 February 2006 - 05:44 PM

Steve, if you could do that I would appreciate it. You could e-mail them to me at bradq@hasmt.com if you'd like. Thanks!

Jan van Bergen Members

Jan van Bergen
  • 1 posts

Posted 22 February 2006 - 04:53 PM

Stephen could you send me i copy of your instructions to
import the certificate in IE



Administrator Administrators

  • 2 posts

Posted 27 February 2006 - 05:28 PM


Please email that fix as well for SSL error 61. dmolnar@starfishcomputer.com

Administrator Administrators

  • 2 posts

Posted 02 March 2006 - 09:40 AM

The SSL encryption included in the ICA Client prevents the client from connecting to unrecognised servers.

When you create or purchase a "server certificate" for your CAE server, it is cryptographically signed by its "issuer certificate".

If the ICA Client trusts an issuer certificate it will automatically accept any of the server certificates that it has signed.

Most commercially purchased certificates are signed by issuer certificiates that are built in to Windows, and so automatically trusted.

If you generate your own certificates, the issuer (often called the root) certificate must be installed on each client computer so that it is "trusted". This prevents a malicious attacker simply generating a certificate for (e.g.) "shop.citrix.com".

To install a root certificate on Windows, double click on the .crt or .cer file and choose "Install Certificate...". For other ICA platforms, please refer to the relevant Client Administrator guide (usually installation simply involves copying the file to the ICA Client keystore/cacerts directory).

Ivan Ruiz Members

Ivan Ruiz
  • 1 posts

Posted 07 March 2006 - 08:38 AM

Hello Stephen, could you also send me a copy of the instruction (screen shots) ivan.ruiz@acspacific.com



  • #10

  • 4 posts

Posted 07 March 2006 - 11:03 PM

I've got the same problem. I've install Windows CA root entreprise for test onto server win2k3.
It's doesn't work until I save the CA Root onto my gateway, install it and copy to certificat trust autority (local computer) by using \\naeserver\certsrv (you can download form here the CA root), it was import to user certificat so a copy was resolve the problem....I've done the same for my client and it works...

So if it can help you.....


Mohammed Islam Members
  • #11

Mohammed Islam
  • 2 posts

Posted 08 March 2006 - 03:06 PM

jean-marc pigeon,

I did not clearly understand how you solved it at the server side. Can you please detail a little bit more? We are suffering a lot with this new installation the consultants did. Any help would be highly appreciated.



Ron Jameson Members
  • #12

Ron Jameson
  • 50 posts

Posted 29 March 2006 - 11:20 PM

Similar situation here except java client works on SG/WI4 using our office servers Root Cert but when in Firefox 1.5.01 - error after trying to lauch the app says

SSL/TLS - you have not chosen to trust "servername".....

I thought JRE1.5.6 would use the PC's keystore according to all I read. In my WI, I put the rootcert.cer in the java folder, added the name to rootcert.cer to the client deployment but still firefox does not run.

Manually imported the rootcer.cer in firefox - same problem.

I am stumped.


Kenneth Bell Citrix Employees
  • #13

Kenneth Bell
  • 486 posts

Posted 30 March 2006 - 07:17 AM

Hi Ron,

The Windows certificate store and the Firefox one are separate - try installing the certificate into the windows store by double clicking on the cert file on the client.



Ron Jameson Members
  • #14

Ron Jameson
  • 50 posts

Posted 30 March 2006 - 06:46 PM

Ken - I ended up fixing this using keytool by SunJava. For some reason, SunJava 1.5 says it will read the windows keystore - but in my case it obviously was not. So, using the keytool -import command, I manually imported my private CAcert into SunJava and it then worked fine.

It was not firefox causing it but Java itself when using the Citrix Java client. Now, I am passing the keytool command sequence to one of our techs to see if he can automate its deployment via an .exe file for our remote users running on firefox thru WI with Java. There should be a way to determine a PC's sunjava verstion/install folder to be able to pass to the program.


Raimund Gruber Members
  • #15

Raimund Gruber
  • 1 posts

Posted 04 April 2006 - 01:25 PM

this works:

Error: "You have chosen not to trust the "Thawte Premium Server CA" the issuer of the server security certificate.

This affects some Linux users only.
If you have tried to connect to the Windows Citrix environment from a Linux machine, and get the following error message: "You have chosen not to trust the 'Thawte Premium Server CA' the issuer of the server security certificate".

The Thawte Server CA certificate was renewed and upgraded to Premium by the CA vendor for the Citrix MetaFrame servers.

To resolve this do the following: Download ThawteRoot.crt from http://www2.slac.stanford.edu/computing/windows/services/citrix/linux_client.htm and place it under /usr/lib/ICAClient/keystore/cacerts. This will resolve this issue.

Administrator Administrators
  • #16

  • 2 posts

Posted 04 April 2006 - 05:36 PM

The Java Client only reads the Browser keystore when running in Internet Explorer. This is the design of Java Applets.

To view Java's built in root certificates run the Keytool command...

"c:\Program Files\Java\jre1.5.0_06\bin\keytool.exe" -list -keystore "C:\Program Files\Java\jre1.5.0_06\lib\security\cacerts"

To add additional root certificates, run:

C:\perforce\icaclient\src>"c:\Program Files\Java\jre1.5.0_06\bin\keytool.exe" -import -keystore "C:\Program Files\Java\jre1.5.0_06\lib\security\cacerts" -trustcacerts -file <path_to.crt> -alias myrootcertificate

If you are prompted, the default certificate store password is "changeit". This is set by Java at install time. It can be changed by using the -storepasswd option of keytool.

Details for installing root certificates in all ICA Clients is available in the Client Administrator Guides.

Guest Members
  • #17

  • 8 posts

Posted 12 April 2006 - 07:04 PM

Steve - would it be possible to send me those instructions as well? lmason@trane.com
I am having no luck trying to resolve my ssl error 61 issues.

Klas Olsson Members
  • #18

Klas Olsson
  • 1 posts

Posted 16 April 2006 - 06:38 PM

- Please send me á copy off the instructions.

Thanks !


Randy Johnson Members
  • #19

Randy Johnson
  • 1 posts

Posted 23 April 2006 - 10:33 PM

Hi Steve...
Having the same probelem. Could you please send a copy of those instructions to me as well? Thanks.

Jai Philip Members
  • #20

Jai Philip
  • 1 posts

Posted 30 May 2006 - 11:46 AM

Hi Steve,
the same problem here.

could you please mail me acopy of those instructions.