ICA Client connections via Secure Gateway & SSL Relay fail due to expired VeriSign Global Server Intermediate Root CA

The VeriSign Global Server Intermediate Root Certificate expires on January 7, 2004. If your Secure Gateway or SSL Relay server is using a VeriSign Global Server ID certificate, you may need to update the intermediate certificate.

Symptoms

All Citrix ICA Clients versions connecting via Secure Gateway or the Citrix SSL Relay Service through NFuse and/or Web Interface using the VeriSign Global Server Intermediate Root Certificate fails.

When you try to connect to a MetaFrame presentation server through Secure Sockets Layer (SSL), you may receive one of the following error messages:

1. The connection was rejected. The SSL certificate is no longer valid. Please contact your Citrix Administrator (SSL error 70)

2. The server sent an expired security certificate. The certificate “O=Verisign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA – Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign” is valid from Thursday, April 17, 1997 to Wednesday, January 7, 2004.

3. Security alert: A security certificate has expired or is not yet valid. The certificate “O=Verisign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA – Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign” is valid from Thursday, 17 April, 1997 to Wednesday, 7 January, 2004.

Cause

This problem occurs because the old VeriSign [128-bit SSL] Global Server Intermediate Root CA expires on January 7, 2004. Servers that are using this public root certificate that have not been updated with the new Global Server Intermediate Root CA may encounter problems when they try to establish SSL sessions after January 7, 2004.

This problem will be observed by all ICA client platforms and versions attempting to connect through an affected Secure Gateway or SSL Relay service.

Citrix Administrators

Verify that all Secure Gateway and SSL Relay servers that are currently running with VeriSign certificates have updated the Intermediate Root Certificate Authorities (CA’s). As of January 7, 2004 they will no longer be able to establish SSL sessions if they haven’t.

The Gateway & SSL Relay Services need to be restarted for the changes to take effect.

More information

For more information about this problem, please visit the following VeriSign Web site:

http://verisign.com/support/vendors/exp-gsid-ssl.html

For information about how to replace the VeriSign Global Server ID Intermediate Root CA, visit the following VeriSign Web site:

https://www.verisign.com/support/site/caReplacement.html

Please read the directions at this site carefully prior to attempting to update your servers Intermediate CA information. The updated certificate must be imported to the Local Computer > Intermediate Certification Authorities > Certificates store using the MMC Certificates snap-in. After updating the certificate, restart the Secure Gateway or SSL Relay service.

You will need to verify that all web servers, Secure Gateway servers and MetaFrame servers running the Citrix SSL Relay Service with VeriSign certificates have updated the Intermediate Root Certificate Authorities (CA’s). After January 7, 2004 they will not be able to establish SSL sessions until the intermediate certificate is updated.

Note: The updated intermediate root certificate has the following properties:

Issued to: www.verisign.com/CPS <http://support.citrix.com/article/CTX103235&searchID=-1

Leave a Reply