UPDATE 09/02/2010:
If you have mozilla installed on your system, then you already have all the CA certs you need.
The trick is to tell ICA Client where they are. It looks for the certs in:
/usr/lib/ICAClient/keystore/cacerts
On my Ubuntu 9.10 system, the mozilla certs are in:
/usr/share/ca-certificates/mozilla/
My quick solution (making a backup of whatever you change first) was to simply point the ICA certs dir at the mozilla one and my citrix client started working immediately:
mv /usr/lib/ICAClient/keystore/cacerts /usr/lib/ICAClient/keystore/cacerts_old cp /usr/lib/ICAClient/keystore/cacerts_old/* /usr/share/ca-certificates/mozilla/ ln -s /usr/share/ca-certificates/mozilla /usr/lib/ICAClient/keystore/cacerts
UPDATE 22/05/2009: Version 0.2 of my script is now up (see below), Thawte changed the subdirectory structure of their certificate zip file, the script now handles this and the documentation below has been updated to reflect the root certifictae zip file changes. I can also confirm that this fix works on Ubuntu 9.04 Jaunty Jackalope.
—
This issue has bugged me for a while. I use citrix to access my employer’s corporate network as part of my job. As a Ubuntu Linux user, it’s not currently easy to get citrix working out of the box, even with the new Ubuntu 8.10 release – Intrepid Ibex.
My main problem is the package provided by Citrix requires extra steps to get it working, specifically adding a root certificate to a certain directory so that you can avoid this error:
You have chosen not to trust "Thawte Premium Server CA",
the issuer of the server's security certificate (SSL error 61).
So getting the client software and installing it is fairly simple. But many people have run into this SSL error 61. The fix for this is to get the certificate file and put it in the right directory for the citrix client to find when you log onto citrix and run your citrix apps.
I’ve created a very simple bash script to perform this task. You can download it here:
http://geekpete.com/blog/code/fix_citrix_cert_v0.2.sh
Otherwise, these are the steps you can perform manually that I’ve found this to work with Ubuntu 8.10.
- Download https://www.verisign.com/support/thawte-roots.zip
- Extract ThawtePremiumServerCA.cer from the “Thawte SSLWeb Server Roots” directory inside the zip.
- Copy the cert file to /usr/lib/ICAClient/keystore/cacerts and make sure you rename it to .crt
Note: If you install the citrix client as your local user (rather than installing as root) then your certs directory will be /home/yourusername/ICAClient/linuxx86/keystore/cacerts so your ThawtePremiumServerCA.crt should go there instead.
What the linux community needs is the ability to package and redistribute the client themselves, such as Ubuntu packaging up a .deb (including build in install script to fetch the CA root cert from Thawte during install, or just including the cert in the package). There doesn’t appear to be any documentation on restrictions of redistributing the citrix client on the citrix site, but I did find this:
http://forums.citrix.com/thread.jspa?threadID=92623&tstart=0
Efforts to get the citrix client into the Ubuntu repositories:
https://blueprints.launchpad.net/ubuntu/+spec/citrix-client-multiverse
And here’s a pretty good install guide for citrix clien on Ubuntut:
http://ubuntuguide.org/wiki/Ubuntu:Feisty/CommercialApplications#How_to_Install_Citrix_ICAClient_10
Anyway, I hope my script has helped someone out there to get citrix working, let me know if it helped you.
-Pete.

Pingback: Citrix Receiver SSL Error 61 on Ubuntu linux | Icenlemon.co.uk Blog
Pingback: Demo Video How to Add Certificates to Citrix Linux Client (plugin) for XenApp - cliff davies cliff davies
Word. Thanks for writing this up. It’s the little things that linux admins do and document that may seem small, but they really make the day of someone else and prevent tons of head-banging-against-walls!
I tried your method but I am not following. Im not extremely computer advanced but I know more than most. Can you please explain in lamens terms. This problem is bugging me the hell out and I need to fix it so I can work from my home office.
Thanks!
Tha main problem is that the ca-certificates folder is no longer in /usr/share
What Linux distro do you have?
I have Fedora 15.
since upgrading to firefox 5.0 on linux (ubuntu 10.10) i was getting the “SSL Error 61″ too when trying to initiate a citrix session. using the above “mv …”, “cp …”, “ln …” commands resolved the issue for me. many thanks!
Geek,
Kudos
It worked ! It worked !
Thanks you so much !
–
Thanks – just the info I needed. However, I’m running Gentoo and the ICAClient dir was this in stead: /opt/ICAClient/keystore/cacerts
On Gentoo using the latest net-misc/icaclient-12.0.0 the dir is now /opt/Citrix/ICAClient/keystore/cacerts
This works in openSUSE 12.1 Thanks a ton.
Worked like a charm
thx, just had to point it to the right direction since i installed as local, here is the adapted version (note : XXX = your username, so you’l have to replace that
)
mv /home/XXX/ICAClient/linuxx86/keystore/cacerts /home/XXX/ICAClient/linuxx86/keystore/cacerts_old
cp /home/XXX/ICAClient/linuxx86/keystore/cacerts_old/* /usr/share/ca-certificates/mozilla/
ln -s /usr/share/ca-certificates/mozilla /home/XXX/ICAClient/linuxx86/keystore/cacerts
Worked perfectly, some paths are different like Citrix defaultly being installed in /opt/Citrix but essentially its all the samen,
Many Thanks
This worked for me:
sudo mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts_old
sudo cp /opt/Citrix/ICAClient/keystore/cacerts_old/* /usr/share/ca-certificates/mozilla/
sudo ln -s /usr/share/ca-certificates/mozilla /opt/Citrix/ICAClient/keystore/cacerts
THANX! worked for me w Kubuntu 11.10 and firefox 9.0.1. thank you so much!
Thanks Ekhaat so much for this tip, worked perfectly for Ubuntu 11.10
Hey that’s a great tip, just to extend the path for Linux Ubuntu 10.11 at 64 bits, is
/opt/Citrix/ICAClient/keystore/cacerts
With the same instructions that you provided above works wonderfully
I am experiencing this with pinguyos 11.04, It worked great until about 2 weeks ago. I tried your .sh script and it did not help me. when I try to export to /usr/lib/ICAClient/keystore/cacerts/VeriSignClass3PublicPrimaryCertificationAuthority-G5.crt I get access denied this is the key that goes 61 on me.
Oh man, thank you thank you! You are a godsend!
Yes as someone noted for Ubunto 11.10 Citrix automatically installs in /opt/Citrix instead. How did you figure this mess out?
Great advice on this page…
Your move and copy commands helped me out a treat, but only after I saw the comments about the change in path name to: /opt/Citrix/ICAClient/keystore/cacerts as when I ran the .deb package via pakage installer, it used this location, not the original that is specified on every other page I could find on this issue!
Thanks for helping out a linux amateur!
*Ubuntu 11.10 on Acer Aspire One ZG5*
Thx!
Worked fine for me, on Debian
However, now I encounter SSL error 26 – keystore cannot be opened -any idea of what can I do here?
thanks again for the help.
heytan: check your permissions by trying to cd into the cacerts directory as your normal user.
The installer script from Citrix installs in the user’s home folder (~/ICAClient/linuxx86/keystore/cacerts for the certs). I did not run the installer as root, so that may have something to do with it.
Thanks for the tip, it helped a lot, now I can stay in Linux Mint and won’t have to boot back into MacOS!
linux mint 12 and citrix receiver 3. This one worked a treat.
sudo mv /opt/Citrix/ICAClient/keystore/cacerts /opt/Citrix/ICAClient/keystore/cacerts_old
sudo cp /opt/Citrix/ICAClient/keystore/cacerts_old/* /usr/share/ca-certificates/mozilla/
sudo ln -s /usr/share/ca-certificates/mozilla /opt/Citrix/ICAClient/keystore/cacerts
this also works on 12.04 Beta.
thanks to all