# Citrix - certificate problem

## kekbarna

Hi,

I use a Citrix based application on Windows XP what I also would like to run on my Sabayon/Gentoo box.

I have an up-to-date Sabayon x86-64 install. The Citrix ICA client v9.0 install went well. I've downloaded the newest rpm package and emerge did the rest.

When I installed the app on the XP box, I had to install the citrix client and a root certificate. I've also installed this certificate (root-cert-advanceonline.cer) on the linux box:

1. installed to KDE: using krusader, select the file, F3, import

2. copied the certificate file to /opt/ICAClient/keystore/cacerts

After login to the website of the remote appl. using Firefox, when clicking on the icon which launches the citrix client, I got the following error message from the client:

---

Citrix ICA Client Error

You have not chosen to trust "/C=US/ST=/L=/0=Equifax/OU=Equifax Secure Certificate Authority/CN", the issuer of the server's security certificate.

---

I could not get further from this point.

What the linux built-in viewer displays about the certificate:

--------------------

Subject: AdvanceOnline

Issued by: AdvanceOnline

File: /opt/ICAClient/keystore/cacerts/root-cert-advanceonline.crt

File format: PEM or DER Encoded X.509

State: The certificate is valid

Valid from: Wednesday 29 March 2006 ...

Valid until: Tuesday 29 March 2011 ...

--------------------

What Opera says about this:

--------------------

pdono.advance.se

AdvanceOnline

Services

Goteborg

VG, SE

Issuer

AdvanceOnline

Connection : TLS v1.0 128 bit ARC4 (RSA/MD5)

The certificate for "pdono.advance.se" is signed by the unknown Certificate Authority "AdvanceOnline". It is not possible to verify that this is a valid certificate

...

So the issuer (the Certificate Authority) is AdvanceOnline, so why do I get error message regarding to the "Equifax Secure Certificate Authority"??

Please someone help me.

----------

## bma51

This post is really old, but here is the solution...

On Linux / Mac computers Citrix does not use the OS to store the certificates.  Instead, it maintains them itself in the following directory:

```
/usr/lib/ICAClient/keystore/cacert
```

All you need to do to trust a Citrix site's certificate is to download it, copy it to this folder and make sure it has a .crt extension.

----------

## BonezTheGoon

I realize this thread is now even older, but I am suddenly impacted by this and I don't know where to get the certificate from.  Any insight available?  It would appear the corporation that houses the Citrix MetaFrame server I am connecting to recently changed certificate providers and so I am left trying to figure this out locally.  Prior to the change the client worked fine, I am just trying to adjust to the remote changes that I cannot control.

Thanks!

Oh I already looked at this thread and tried the documented fix there with no change on my end.

----------

## BonezTheGoon

This is how I fixed mine just now.

cp -R /usr/share/ca-certificates/mozilla/* /opt/ICAClient/keystore/cacerts/

Hope that might help someone some day!

----------

## Art Vandalay

 *BonezTheGoon wrote:*   

> This is how I fixed mine just now.
> 
> cp -R /usr/share/ca-certificates/mozilla/* /opt/ICAClient/keystore/cacerts/
> 
> Hope that might help someone some day!

 

well it has....finally got the icaclient to work natively in linux.

now i can connect to work without having to go through an xp vm in vmware-workstation

thanks, you've made my day   :Very Happy: 

----------

## madal

Just in case anyone is having problems with the new ICAClient-12.0 package (as I was), they moved the location of the certificates. They are now in:

```
/opt/Citrix/ICAClient/keystore/cacerts
```

This should now be the destination for your certificates.

Hope this helps.

Madal

----------

## FreakNigh

I got the net-misc/icaclient-12.0.0 working on amd64 with firefox by doing a

nspluginwrapper -i /usr/lib32/nsbrowser/plugins/npica.so

and

cp Downloads/*.crt /opt/Citrix/ICAClient/keystore/cacert/

(as root in my main users home folder where I had downloaded the crt files to the Downloads folder)

----------

