certificate issues with Windows CE clients (2081 Views)
Occasional Visitor
Oskar Liljeblad_
Posts: 2
Registered: ‎08-27-2009
Message 1 of 3 (2,081 Views)

certificate issues with Windows CE clients

We recently renewed our VeriSign certificate, and now HP T55x0 (T5510, T5520, T5530, T5540?) thin clients with Windows CE can no longer log on through Citrix Secure Gateway. The error they receive are:

SSL Error 61: You have not chosen to trust "/C=US/ST=/L=/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/CN=", the issuer of the server's security certificate.

Internet Explorer on these clients also shows this warning when entering the web site:

The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.

Everything works fine on regular PCs with Windows XP/Vista/7.
Now the difference between the new certificate and the old one is that the intermediate certificate is "Class 3 Public Primary Certification Authority" (not G2).

The T5520 thin client we're using for testing is running Internet Explorer 6.0 build 44 (latest from HP) and Citrix ICA client 10.08 build 103, and system image 5.04.595.9 from HP (latest from HP).

We had to install the root certificate combined with the intermediate certificate in the clients to make things work. This is strange because the root certificate is already installed in the device, and installing just the root certificate makes no difference.

Is the bug in the client/WinCE OS or is there a configuration problem in the web server/Citrix Secure Gateway?

Oskar Liljeblad
Frequent Advisor
Eric Torbenson
Posts: 58
Registered: ‎06-24-2003
Message 2 of 3 (2,081 Views)

Re: certificate issues with Windows CE clients

Certificates are funny things, and it's hard to believe that a tiny little 2K string of numbers can cause so many problems!

The local IE on the thin client only checks its SSL trust path with the certificates loaded in the *local* store. PCs have a much more transparent certificate experience, mainly because (a) XP/Vista/7 automatically update root certificates by default, and (b) domain-member PCs often have all the certs they need published in AD as another source. In the CE world, you need to load every certificate in the trust chain so the OS can trace the path all the way back. Just having the root-level certificate doesn't help you, because by not having the intermediate one loaded in the store, you don't "trust" it. From the OS perspective, IE can't verify that your Citrix server's cert was issued by the intermediate CA. With that cert loaded, IE will see that your server cert was issued by the intermediate, which in turn was issued by the primary root at VeriSign.

Go look at the cert issued to your Citrix server on a PC in the Certificates snap-in. The "Certification Path" tab will show you which certs you need to export and place on the CE device...you need the whole chain.
Occasional Visitor
Oskar Liljeblad_
Posts: 2
Registered: ‎08-27-2009
Message 3 of 3 (2,081 Views)

Re: certificate issues with Windows CE clients

Ok, but there are two funny things:

1) Some sites (such as http://www.whichssl.com/intermediate_certificates.html) claim that "All web browsers developed after Internet Explorer 3 and Netscape 3 use SSL version 3 as standard" and as such should support intermediate certificates. But there really seem to be problems with intermediate certificates, at least on Windows CE.

2) You have to import the root+intermediate certificate chain on the thin client - it won't help to just import the intermediate certificate. (At least MSIE on Windows CE requires the root+intermediate chain - but the ICA client works fine with just the intermediate imported.)

Personally I think it's a Windows CE bug/limitation...
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.