Citrix XenApp 6 – SHA2 Certificate Issues with Secure Gateway

I was recently involved with recovering from a crashed Citrix Presentation Server 4.5 environment. The solution involved jettisoning the 4.5 farm and building out a fresh XenApp 6.5 farm. Everything pretty much went smooth until we tried testing mobile access via iPhones/iPad’s. Authentication would work properly but when the Citrix Receiver application tried to open up the published resource, an error would kick back on the device with the generic “Connection Error Citrix Receiver could not establish connection with remote host. Please contact your administrator for assistance.” message. Additionally, I had certificate trust errors with Windows XP machines pertaining to my GoDaddy certificate. Windows 7/8 machines worked fine with no issues.

After some pretty pain staking troubleshooting, the clues started to show themselves in the device receiver logs – turns out that SHA2 (256) certificates are not supported through “Citrix Secure Gateway”. Also, the Citrix Receivers for iOS or Android do not support SHA-2 certificates as well. SHA2 certificates are the standard right now and SHA1 certs will no longer be supported globally after the year 2017 so I expect Citrix to fix this soon. Once I reissued the GoDaddy certificate under SHA1 encryption imported it into the Secure Gateway Server everything started working correctly.  If you have a Citrix Access Gateway Appliance of VPX SHA2 certificates work with no issues.

-Justin Vashisht (3cVguy)

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.

Powered by WordPress. Designed by Woo Themes