Security Certificate Error Xenapp 7.6 Install

Hello, I am trying to install XenAPP/Desk 7.6 on 2012r2 servers in tandem with our current Xenapp 6.5 farm. We already have a license server on a 2008r2 server. When I am installing the 7.6 DCs I put the license server name in the address box and it told me that the cert was out of date. Others on a Citrix forum helped me to figure out where that was at, So I had a new domain certificate made (not from a intermediate) and I backed up the old one and put the newly made one in place, and now the out of date message is gone, but the message now says....

This certificate is not trusted:  The security certificate "certname" is not suitable for use in SSL connections. Reason: The maximum length of a certificate chain is 10.

I have tried to figure out how to handle this... After googling this for 8 hours and another post on a citrix forum, I still have not really found anything helpful. Does anyone have any ideas?  Thank you.
arosenboomAsked:
Who is Participating?
 
Brian MurphyIT ArchitectCommented:
Well, hopefully I can add some value here.  I handle most of the SSL related stuff for Citrix today.

Problem is there are so many variables.  

See, when you say "Intermediate" that doesn't necessarily mean anything if the certificate was created using Microsoft PKI.  Then, is that an Enterprise PKI or stand-alone?  Regardless, the templates are usually on another server but all your going for is a "Web Server" from the template perspective because that covers Server use, binds to RDP, works for SQL, or IIS.

But, it must be SERVERNAME.AD.DOMAIN not some random internal DNS zone.  That doesn't mean you cannot use FQDN.  What I'm saying is the CA's in a domain or member of a domain will issue you a SHORTNAME certificate or something other than but that is not best practice.

If it is Microsoft PKI then there should already be AD Policies combined with SRV, SPN records that if I do a 'certutil.exe -CA' from command prompt it should automatically pull the CA information.

And much more, CMD prompt, "certutil /?"

That exact error message is seen if you do not open the Certificate MMC console, MMC, Add Snapin, Certificates, Local Machine.

Right at the top, Trusted, expand - You might find an old, expired certificate from a third-party or internal CA that is expired.  Adding a certificate in that scenario does not change the fact that the original hash from the store on every service is still using that certificate hash.

Delete all those entries.  Validate CSR request by using a placeholder INF template and pipe that to your CSR request.  For example:
http://www.entrust.net/knowledge-base/technote.cfm?tn=8649

But, everything changes if you are using a third-party CA like Verisign.

I would need that information.

That error is caused when the complete chain of trust doesn't exist in the Certificate Store or the CER file you imported does not contain that information.  Not to mention the private key.  Regardless, when you request a CSR there is a private key and the 'information'.

Using certutil and other local utilities you can generate the CSR but also bind that CSR and CER with the private key creating a PFX.

That is what is imported otherwise you get that error.

Next, if Verisign (one example) if you generate a 2048 Bit RSA256 request versus a SHA1 request the Root and Intermeddiate CA's are completely different.

The root might be a C5 and the intermeddiate for SHA1 a C3 but RSA256 a C4.

You can download all of them from Verisign and import them into the Trusted Root Authority (Root only) and the other section is Intermeddiate Trusted.  

This is a shortcut way if for some reason firewall rules block certificate chain, CRL updates, or check for revokation (forced).

Sounds like all you need is a matching servername with AD domain suffix, the private key from original CSR request, combined into a PFX, imported on that server.

The CSR can be done anywhere.  But if anywhere other than the exact server would require the PFX with private key and full certificate chain in the CORRECT stores.

Those two items cause the certificate error described.

But, I would need to know if they are internal PKI or third-party where you generate a CSR from say IIS and submit that to get your CER file.  When you download only the x509 hash it has no information relative to certificate chain validation.  The other option is to download the bundle but this does not always work.
0
 
Tony JLead Technical ArchitectCommented:
Who was the issuing authority?

What uses is it listed for?

When you look at the properties of the certificate does it show any errors such as private key missing etc?
0
 
Brian CTXSupportCitrix ConsultantCommented:
What version is the license server you are using?  The minimum version needed for XenDesktop 7.6 is 11.12.1.  The connection to the license server doesn't use SSL, so I'm not sure why you're seeing that, other than attempting to connect to an old version of the license server.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
arosenboomAuthor Commented:
>Who was the issuing authority?

Internal server

 >What uses is it listed for?

Not sure if this what you are asking but it says in key usage ... Digital Signature, Key Encipherment

enhanced usage is Server Authentication

> When you look at the properties of the certificate does it show any errors such as private key missing etc?

Under Details tab, I see nothing that sticks out at me.
0
 
Brian CTXSupportCitrix ConsultantCommented:
From Programs and Features on the License Server, what version of Citrix Licensing does it say you have installed?
0
 
arosenboomAuthor Commented:
>What version is the license server you are using?  The minimum version needed for XenDesktop 7.6 is 11.12.1.

11.12.1. build 14008
0
 
Brian CTXSupportCitrix ConsultantCommented:
Did you upgrade the existing license server or install a new one?

If new, is the firewall disabled on the license server, or are the following ports open?

Console Web Server (default port is 8082)

License Server Manager (default port is 27000)

Simple License Service (default port is 8083)

Vendor Daemon (default port is 7279)
0
 
Brian CTXSupportCitrix ConsultantCommented:
Did you use the following procedure to create the certificate?

http://support.citrix.com/proddocs/topic/licensing-1111/lic-cert-simple-license-service.html?_ga=1.20398264.1862317713.1413407183

When the certificate was created, did you use the Template for Web Server option?
0
 
arosenboomAuthor Commented:
>Did you upgrade the existing license server or install a new one?

Upgrade, I do believe.

> If new, is the firewall disabled on the license server, or are the following ports open?

We turn off firewall by group policy, and I just double checked.



 Console Web Server (default port is 8082)

 License Server Manager (default port is 27000)

 Simple License Service (default port is 8083)

 Vendor Daemon (default port is 7279)
0
 
arosenboomAuthor Commented:
>Did you use the following procedure to create the certificate?

>http://support.citrix.com/proddocs/topic/licensing-1111/lic-cert-simple-license-service.html?>_ga=1.20398264.1862317713.1413407183

> When the certificate was created, did you use the Template for Web Server option?

I didn't create it, my boss did, but I do know he used the above article... I am going to ask him
now if he used the Template for Web Server option....

Thank you for  all your suggestions so far....
0
 
arosenboomAuthor Commented:
I've requested that this question be deleted for the following reason:

No reasonable  solution.
0
 
arosenboomAuthor Commented:
None at this time
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.