Symptoms or Error
This article is intended for Citrix administrators and technical teams only. Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.
Users may receive the following error when launching an application with Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Android 3.12.2, Receiver for Linux 13.6 and newer:
Error: You have not chosen to trust '(CERT INFO)', the issuer of the server's security certificate. Contact your help desk for assistance.
Receiver for Mac
Receiver for Android
Solution
Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.
This issue may be caused by an out-of-date intermediate certificate installed at NetScaler Gateway. This does not mean that the CA certificates currently being used is expired but the CA has since released newer versions of that certificate.
Verify the certificate bindings at the NetScaler Gateway to resolve this issue.
To confirm this, visit the NetScaler Gateway website using a web browser, and examine the certificate chain in the web browser. You may wish to cross-check this by repeating with more than one web browser (such as with Google Chrome and Mozilla Firefox). Then, compare all the certificates in the browser's certificate chain with the certificate chain at NetScaler Gateway.
Note: Compare all the serial numbers in the certificates and not just the Subject Name. If there are any mismatches in intermediate certificates, this is a possible cause.
Update NetScaler Gateway with the corresponding intermediate certificates, as they appear in the web browser. You can export the intermediate certificates from the web browser. If you used more than one web browser, it is possible that they yield different certificate chains. If so, use the newer certificate chain.For more information about installing and linking an intermediate certificate with Primary CA on a NetScaler Gateway appliance, refer to CTX114146.
Problem Cause
The Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Linux 13.6 and newer versions are going to validate the root certificates even if it trusts the intermediate, which is not the case with the browsers. If the browser trusts the intermediate, it trusts the server certificate, without going down to the root certificate and will display the newer version of the root from its certificate store and not the actual root certificate sent by the server or NetScaler Gateway.
In Receiver for Android 3.12.2, joint server certificate validation is turned off by default. If this policy is enabled in the Receiver without the correct set of certificates configured on the server/gateway, users may see the error message.
Additional Resources
CTX221453 - Citrix Receiver - SSL Error when connecting via NetScaler
Citrix Documentation - Receiver for Mac, Receiver for Android
CTX114146 - How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway
Solution
Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.
Update to the Latest Receiver Version
- Upgrade to the latest version of Receiver to verify if this resolves the issue.
- If you are using SHA2 certificates then the older version of Receiver does not support these certificate. Refer to CTX200114 - Citrix Receiver Support for SHA-2 to view the Receiver versions which supports SHA-2 certificates.
Citrix Receiver For Mac Big Sur Download Latest
If this does not resolve the issue then proceed to the next section.
For information on Receiver feature updates refer to - Citrix Receiver Feature Matrix.
Missing Root/Intermediate Certificate
Citrix Receiver For Mac 11
This error message suggests that the Mac client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the Secure Gateway/NetScaler Gateway server certificate.
Complete the following steps to resolve this issue:
For Big Sur, please refer to Add certificates to a keychain using Keychain Access on macOS Big Sur
For Catalina, please refer to Add certificates to a keychain using Keychain Access on macOS Catalina
The default File Format should be Certificate (.cer).
Note: You might need to rename the certificate to a .CRT extension for the client to properly identify the certificate.
Save the certificate to the ApplicationsCitrix ICA Clientkeystorecacerts folder (create this folder if it does not exist):
Citrix Receiver Download Mac Os
Additional Resources
CTX101990 - Error: 'The server certificate received is not trusted (SSL Error 61)' for Receiver Users
CTX203362 - Error: 'The server certificate received is not trusted (SSL Error 61)' on Receiver for Linux
CTX200836 - Error: 'SSL Error 61: You have not chosen to trust 'Certificate Authority'...' When Launching Apps with Citrix Online Plug-in