When you really haven’t chosen not to trust: Citrix, Mac OS X, and Entrust certificates

NB: this article is a few years old, and I haven’t tested any updates since I wrote it. It may still work; who knows?

This is one that the support desk of my employer really should’ve answered, but they gave their usual, “You mentioned Macintosh in your e-mail, so this conversation stops here” response.

Anyway, they’ve just upgraded their Citrix access, and what used to work now gives the rather cruddy response:

SSL Error 0: You have not chosen to trust

Just what SSL Error 0: You have not chosen to trust “Entrust.net Secure Server Certification Authority”,the issuer of the server’s security certificate. Error number: 183 is supposed to mean to anyone, I don’t know. (Well, actually, I do know, but in rants like this it’s customary to feign ignorance in a huffy manner. Work with me here, people.)

So, to fix this:

  1. Make sure that Citrix ICA Client is installed
  2. Go to entrust.net/developer and click on Download Root Certificates
  3. Select Personal Use, and click on Download Certificates
  4. Download entrust_ssl_ca.cer and entrust_ssl_ca.der to your desktop
  5. Open a terminal (it’s in Applications/Utilities), and enter the following:
    cd /Applications/Citrix\ ICA\ Client/keystore/cacerts/
    cp -p ~/Desktop/entrust_ssl_ca.* .
    ln -s entrust_ssl_ca.cer entrust_ssl_ca.crt
  6. Exit the terminal, and try your Citrix session again.

There might be some unnecessary steps there, and this might all be fixed by downloading the latest release of the ICA client, but this works for me now.

14 comments

  1. This also works under Ubuntu if you substitute the directory /usr/lib/ICAClient/keystore/cacerts/

  2. The direct links I gave to entrust_ssl_ca.cer and entrust_ssl_ca.der work fine without going through the ‘Personal Use’ login bit.

  3. Thanks for the fix, don’t think my help-desk would have been much help. Keep up the good work.

  4. Thanks for the info. FYI, you don’t need the .der certificate, and you can simply rename the .cer to .crt instead of creating a symlink. Just the following worked for me in Ubuntu:

    cd /usr/lib/ICAClient/keystore/cacerts
    sudo wget https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
    sudo mv entrust_ssl_ca.cer entrust_ssl_ca.crt

    And if you think you get blown off when mentioning a Mac, just try mentioning Linux and see if they have even heard of it 🙂

  5. Thanks, this didn’t quite work for me but it gave me the right direction. For some reason the entrust_ssl_ca.cer did not load to the desktop, it kept loading in firefox only as a txt file…. so what i ended up doing is moving the entrust_ssl_ca.der file into Applications/Citrix ICA/keystore/cacerts and it worked! thank you 🙂

  6. Toby johnson’s suggestion of copying the .cer file worked perfectly for me . Thanks for the suggestion

Leave a comment

Your email address will not be published. Required fields are marked *