Citrix Error 61 ("not chosen to trust"): All files and certificates seem to be correct

I am getting SSL Error 61 ("You have not chosen to trust … ") when running appications on my company’s Citrix server using Firefox on OpenSUSE 13.1, with two different computers. In one, the Citrix client application is in /usr/lib/ICAClient/. In the other, it is in /opt/Citrix/ICAClient/, but with a symbolic link from /usr/lib/ICAClient/. Details and checks done are below.

  • The certificates are in /usr/share/pki/trust/, to which I have created a symbolic link from /usr/share/ca-certificates/mozilla/. These include the one that the error message claims not to be trusted (Verisign Class 3 G5)
  • In Edit → Preferences → Advanced → Certificates → View Certificates, the one I want is listed, and looks correct. All three “Trust settings” are ticked.
  • The directory …/ICAClient/keystore/cacerts/ contains symbolic links to all the certificates in /usr/share/ca-certificates/mozilla/.
  • The server validates according to
  • The applications run under Windows.
  • They used to run under OpenSUSE 12.3. They did not initially, but did after I ensured there were links to the certificates in the correct places. The same procedure did not work under OpenSUSE 13.1.

So is there anything else I need to check and correct to make it work? Or is it a problem with the server? If so, then what do I need to tell my company’s IT servicedesk to do (I have no admin access to the server)?



Could you please post the complete error.

If you are getting a certificate related error then you need to download that certificate and copy that to cacerts directory in /opt/Citrix/ICAClient/keystore/cacerts and run update-ca-certificates and reboot.

Here it is:

SSL Error

Contact your help desk with the following information:
You have not chosen to trust “Verisign Class 3 Public Primary Certification Authority - G5”, the issuer of the server’s security certificate (SSL error 61).

There is VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem in /opt/Citrix/ICAClient/keystore/cacerts, so the certificate is definitely there. I have run update-ca-certificates and rebooted, still getting the same error.
I don’t know how relevant this is, but I got the following error message when running update-ca-certificates:

alex@tosh:~> sudo /usr/sbin/update-ca-certificates 
root's password:
p11-kit: invalid basic constraints certificate extension
p11-kit: 'node != NULL' not true at lookup_extension

A while ago I hade a similar error, maby the same, can’t remember. I had to convert from one type (.pem certs) of certs to the other (.crt certs) and used this code to convert (place yourself in right folder (/usr/share/ca-certificates/mozilla/). My Citrix is 12.1.0

for file in *.pem ; do openssl x509 -outform der -in "$file" -out "$(echo "$file" | sed 's/\.pem/\.crt/')" ; done

That solved it for me that time.

Thanks, that worked for me as well, although I also had to symlink them from the /opt/Citrix/ICAClient/keystore/cacerts directory

cd /opt/Citrix/ICAClient/keystore/cacerts
for a in `ls /usr/share/ca-certificates/mozilla/*.crt`; do ln -s $a ; done