Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How do i "re-trust" the SSL certificate sent from a server I previously marked as untrusted?

  • 4 ŋuɖoɖowo
  • 4 masɔmasɔ sia le wosi
  • 1 view
  • Nuɖoɖo mlɔetɔ GregShaw

more options

I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)"

I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer.

I get the same fault with Firefox 3.6.23 on Ubuntu 10.04.

(I'd rather not tell everyone here the URL of my company's remote access website)

I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)" I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer. I get the same fault with Firefox 3.6.23 on Ubuntu 10.04. (I'd rather not tell everyone here the URL of my company's remote access website)

All Replies (4)

more options

Is that certificate listed on the Servers tab in the Certificate Manager?

  • Edit > Preferences > Advanced : Encryption: Certificates - View Certificates

In that case you can click the Edit button.

cor-el trɔe

more options

Thanks for the swift reply, cor-el - unfortunately, no joy with this approach.

A. As my named user (called "greg", surprise, surprise, no secret there...) Run Firefox; select Edit > Preferences > Advanced : Encryption:

Here I get no option for Certificates, but I do get View Certificates - then tabs for:

- Servers, under which my company's remote logon URL is listed - Edit button is grey
- Authorities, under which the Verisign...G5 entry may be edited; 3 options:
        1. may identify websites (ticked)
        2. may identify mail users (unticked)
        3. may identify software makers (ticked)
  I ticked 2, tried again - same failure. Unticked it.

B. As root. Run Firefox; select Edit > Preferences > Advanced : Encryption:

Here I get no option for Certificates, but I do get View Certificates - then tabs for:

- Servers, under which my company's remote logon URL is NOT listed
- Authorities, under which the Verisign...G5 entry may be edited; 3 options:
        1. may identify websites (ticked)
        2. may identify mail users (unticked)
        3. may identify software makers (unticked)
  I ticked 2 and 3, tried again - same failure. Unticked them.

Maybe a solution would be, in some way, to add my company's remote logon URL to the list of Servers while running Firefox as root. The Export and Import buttons may help here. However, when I first declined their certificate I was running Firefox as greg, not as root, so I am a bit suspicious there - what can be done as greg should be undoable as greg.

This is doing my head in. Maybe it's time to step back and think a bit. Maybe try Citrix's online help (already spent a fair amount of time there with no joy either).

So, thanks again for the reply - I've generally tried to provide a good list of what's up, and your reply has given me food for thought. OK, I'll keep trying.

more options

If the problem is with Citrix then you need to install that certificate in the Citrix database.

more options

Thanks, cor-el. I had a look around the Citrix support site, and it seems mostly geared towards Windows users (fair enough, I suppose). Eventually I found a solution on the Ubuntu website which helped:

https://help.ubuntu.com/community/CitrixXenAppPlugin

I didn't follow the procedure to download the certificate, as I had already found it (as mentioned in OP), in /usr/share/ca-certificates/mozilla when looking for any *.crt on the system.

I did make use of the technique for telling where Citrix ICA Client expects to find its certificates, by looking for the wfica executable then following downwards through the filesystem - mine were in /opt/Citrix/ICAClient/keystore/cacerts.

Copy the Verisign certificates from the /usr/... directory to the /opt/Citrix/... directory.

Stop/start Firefox, try logging on to the work website - you see data being downloaded, and the Citrix client works fine.