08-27-2009 05:24 AM
SSL Error 61: You have not chosen to trust "/C=US/ST=/L=/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/CN=", the issuer of the server's security certificate.
Internet Explorer on these clients also shows this warning when entering the web site:
The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
Everything works fine on regular PCs with Windows XP/Vista/7.
Now the difference between the new certificate and the old one is that the intermediate certificate is "Class 3 Public Primary Certification Authority" (not G2).
The T5520 thin client we're using for testing is running Internet Explorer 6.0 build 44 (latest from HP) and Citrix ICA client 10.08 build 103, and system image 5.04.595.9 from HP (latest from HP).
We had to install the root certificate combined with the intermediate certificate in the clients to make things work. This is strange because the root certificate is already installed in the device, and installing just the root certificate makes no difference.
Is the bug in the client/WinCE OS or is there a configuration problem in the web server/Citrix Secure Gateway?
08-28-2009 11:49 AM
The local IE on the thin client only checks its SSL trust path with the certificates loaded in the *local* store. PCs have a much more transparent certificate experience, mainly because (a) XP/Vista/7 automatically update root certificates by default, and (b) domain-member PCs often have all the certs they need published in AD as another source. In the CE world, you need to load every certificate in the trust chain so the OS can trace the path all the way back. Just having the root-level certificate doesn't help you, because by not having the intermediate one loaded in the store, you don't "trust" it. From the OS perspective, IE can't verify that your Citrix server's cert was issued by the intermediate CA. With that cert loaded, IE will see that your server cert was issued by the intermediate, which in turn was issued by the primary root at VeriSign.
Go look at the cert issued to your Citrix server on a PC in the Certificates snap-in. The "Certification Path" tab will show you which certs you need to export and place on the CE device...you need the whole chain.
08-28-2009 12:03 PM
1) Some sites (such as http://www.whichssl.com/intermediate_certificates.
2) You have to import the root+intermediate certificate chain on the thin client - it won't help to just import the intermediate certificate. (At least MSIE on Windows CE requires the root+intermediate chain - but the ICA client works fine with just the intermediate imported.)
Personally I think it's a Windows CE bug/limitation...