The issue happens with Citrix Receiver for Mac version 11.8.2 after upgrading to OS X Yosemite. Applications will launch fine from the Citrix Receiver for Web. The issue appears to be an.
Applicable Products
- Citrix Gateway
- Receiver
Symptoms or Error
This article is intended for Citrix administrators and technical teams only. Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.
Users may receive the following error when launching an application with Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Android 3.12.2, Receiver for Linux 13.6 and newer:
Error: You have not chosen to trust '(CERT INFO)', the issuer of the server's security certificate. Contact your help desk for assistance.
Receiver for Mac
Receiver for Android
Solution
Important! This article is intended for use by System Administrators. If you are experiencing this issue and you are not a System Administrator, contact your organization’s Help Desk for assistance and refer them to this article.
This issue may be caused by an out-of-date intermediate certificate installed at NetScaler Gateway. This does not mean that the CA certificates currently being used is expired but the CA has since released newer versions of that certificate.
Citrix Workspace For Mac 10.10.5
Verify the certificate bindings at the NetScaler Gateway to resolve this issue.
To confirm this, visit the NetScaler Gateway website using a web browser, and examine the certificate chain in the web browser. You may wish to cross-check this by repeating with more than one web browser (such as with Google Chrome and Mozilla Firefox). Then, compare all the certificates in the browser's certificate chain with the certificate chain at NetScaler Gateway.
Note: Compare all the serial numbers in the certificates and not just the Subject Name. If there are any mismatches in intermediate certificates, this is a possible cause.
Update NetScaler Gateway with the corresponding intermediate certificates, as they appear in the web browser. You can export the intermediate certificates from the web browser. If you used more than one web browser, it is possible that they yield different certificate chains. If so, use the newer certificate chain. For more information about installing and linking an intermediate certificate with Primary CA on a NetScaler Gateway appliance, refer to CTX114146.
Problem Cause
The Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Linux 13.6 and newer versions are going to validate the root certificates even if it trusts the intermediate, which is not the case with the browsers. If the browser trusts the intermediate, it trusts the server certificate, without going down to the root certificate and will display the newer version of the root from its certificate store and not the actual root certificate sent by the server or NetScaler Gateway.
In Receiver for Android 3.12.2, joint server certificate validation is turned off by default. If this policy is enabled in the Receiver without the correct set of certificates configured on the server/gateway, users may see the error message.
Citrix Receiver Mac 10.10.5
Additional Resources
Citrix Receiver For Mac Os 10.10.5
CTX221453 - Citrix Receiver - SSL Error when connecting via NetScaler
Citrix Documentation - Receiver for Mac, Receiver for Android
CTX114146 - How to Install and Link Intermediate Certificate with Primary CA on NetScaler Gateway