khanfe
asked on
Citrix SSL Certificate Error on Thin Client
Hi folks,
I'm very new to Ciitrix and SSL certificates and hope someone can help me?
I have a couple of users receiving the following errors on a thin client they use to connect to their Citrix desktop environment:
"Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. SSL Error 70: the server sent an expired security certificate. The certificate "svn.bronzelnk.net" is valid from 06 March 2013 to 06 March 2016."
The SSL certificate configured seems to be expiring today. We have a NetScaler configuration, where I can see that the certificate does expire today
I'm stuck as to how I can generate a new certificate? I've tried creating a new certificate and attempted to install it, however get a 'Invalid Certificate" message
I'm very new to Ciitrix and SSL certificates and hope someone can help me?
I have a couple of users receiving the following errors on a thin client they use to connect to their Citrix desktop environment:
"Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. SSL Error 70: the server sent an expired security certificate. The certificate "svn.bronzelnk.net" is valid from 06 March 2013 to 06 March 2016."
The SSL certificate configured seems to be expiring today. We have a NetScaler configuration, where I can see that the certificate does expire today
I'm stuck as to how I can generate a new certificate? I've tried creating a new certificate and attempted to install it, however get a 'Invalid Certificate" message
ASKER
@aditya - Thanks for the response.
Not sure if this is what you mean, but the certificate expiring is currently configured with a Public Key Size of 2048?
Is this value specified anywhere when creating a CSR?
Not sure if this is what you mean, but the certificate expiring is currently configured with a Public Key Size of 2048?
Is this value specified anywhere when creating a CSR?
You have three options.
You can renew the certificate with the same private key and CSR.
Or, you can create a new request with a new private key from the Netscaler.
Or, you can generate a new request (CSR) with a new private key from IIS Server.
Your certificate does expire today so this is only going to get worse.
Also, you have an older version of firmware on that Netscaler based on the screenshot. That will need to be addressed at some point.
For now we can focus on the certificate renewal.
Do you understand any of the three options or do you need a walk-through?
You can renew the certificate with the same private key and CSR.
Or, you can create a new request with a new private key from the Netscaler.
Or, you can generate a new request (CSR) with a new private key from IIS Server.
Your certificate does expire today so this is only going to get worse.
Also, you have an older version of firmware on that Netscaler based on the screenshot. That will need to be addressed at some point.
For now we can focus on the certificate renewal.
Do you understand any of the three options or do you need a walk-through?
Once we get this done I would ask you take a read at my TLS hardening article
https://www.experts-exchange.com/articles/25021/Citrix-SSL-TLS-Vulnerabilities-and-Operating-System-Hardening.html
Notice how your certificate is SHA1. That is deprecated and something I address in this aforementioned article. It is good reading if you want to learn more about TLS and why I'm stressing upgrading the firmware.
I walk you through some of the steps here working with TLS certificates.
On the Netscaler we create the private key first and bind that to the CSR (Certificate Request) and that is what you submit to your hosted CA company.
https://www.experts-exchange.com/articles/26481/Share-One-TLS-Certificate-for-Remote-Desktop-Services-and-SQL-Server.html
https://www.experts-exchange.com/articles/25021/Citrix-SSL-TLS-Vulnerabilities-and-Operating-System-Hardening.html
Notice how your certificate is SHA1. That is deprecated and something I address in this aforementioned article. It is good reading if you want to learn more about TLS and why I'm stressing upgrading the firmware.
I walk you through some of the steps here working with TLS certificates.
On the Netscaler we create the private key first and bind that to the CSR (Certificate Request) and that is what you submit to your hosted CA company.
https://www.experts-exchange.com/articles/26481/Share-One-TLS-Certificate-for-Remote-Desktop-Services-and-SQL-Server.html
ASKER
@Brian - Thank you for the response.
It is now affecting all users, as the certificate expired yesterday evening.
Would renewing the certificate with the same private key and CSR be easiest option for now? I've not done this before and would be grateful if you are able to assist in anyway?
It is now affecting all users, as the certificate expired yesterday evening.
Would renewing the certificate with the same private key and CSR be easiest option for now? I've not done this before and would be grateful if you are able to assist in anyway?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if your previous ssl certificate is 1024bit with gateway then you should update or replace it with 2048bit or higher. Else it will not accept the same bit . Check this out and let me know