Ask Your Question

SSL error 61when accessing Citrix application

asked 2013-10-30 17:33:20 -0500

ccd gravatar image

updated 2013-11-03 11:49:15 -0500

I am getting a client error in Firefox:

You have not chosen to trust "VeriSign Class 3 Public Primary Certification Authority - G5", the issuer of the server's security certificate (SSL error 61).

How do I correct this problem?

So, to continue the story, I have been searching other web sites looking for the answer. I found one web site that had very specific instructions on how to export the certificate and copy it to the Citrix install location in the cacerts directory. I tried that solution but it did not resolve the error. I even tried various names for the certificate.

There is also info on the Citrix web site that suggests the required root certificate is not present. This seems to imply that it is looking for another certificate other than the CA certificate, possibly the public certificate for the site I am accessing? I tried calling the help desk for the site (my work) and as usual they were not very helpful. The suggested that I switch from Fedora to Ubuntu.

Thanks Marc for the suggestion. When I go to the site where I am trying to run the Citrix applications, the lock icon is only a logoff button for the site. I looked around but did not find anywhere else that they might have been located. Is there someplace else I should be looking?

Thanks for pointing me to the correct location to look at the certificates.

After I followed the directions, I was still encountering the problem. Since I was convinced that the solution had to be placing a copy of the certificate in the proper location I started searching for candidate locations and discovered that I had somehow installed the Citrix client in two different locations: /opt and /usr/bin. When I copied the certificates to the other location, I was able to access the application.

Thanks for the help!

edit retag flag offensive close merge delete


Glad to be of service.

Marc lml gravatar imageMarc lml ( 2013-11-03 12:53:30 -0500 )edit

Thank you very much! After days struggle against this annoying problem I was able to finally work!

Alexandre Castro gravatar imageAlexandre Castro ( 2015-10-06 11:33:06 -0500 )edit

4 Answers

Sort by ยป oldest newest most voted

answered 2013-11-02 08:28:44 -0500

Marc lml gravatar image

updated 2013-11-03 05:47:38 -0500

I ran into a similar problem in the past when I tried to connect to a Citrix Secure Gateway that used a self-signed certificate. Beside the certificate for the site, you need to download the certificate for the CA and AAA as well.

In Firefox open the Secure Gateway site and click on the lock icon. Then click on More Information..., View Certificate and the tab Details. In my case there were three entries under Certificate Hierarchy: CA, AAA and the site name. Select CA and click Export..., select AAA and click Export... and finally select the site name and click Export.... Finally copy all three certificates to ~/ICAClient/linuxx86/keystore/cacerts to make them available.

Update: lock icon

Please see this Mozilla support article for the lock icon: How do I tell if my connection to a website is secure?

edit flag offensive delete link more



Thank you for this answer. It worked for me. I only needed one certificate, and I was able to get it and copy it to /opt/Citrix/ICAClient/keystore/cacerts/ with this method. And it works.

passthejoe gravatar imagepassthejoe ( 2015-08-25 15:44:18 -0500 )edit

2016-11-23: I can confirm that this solution is still working under Fedora 24 using the current Citrix Receiver (ICAClientWeb-rhel- from Citrix website. I am almost sure creating a symbolic link as described in the other answer would work too but I read it only after I had already exported the crts to /opt/Citrix/...


gobigobi66 gravatar imagegobigobi66 ( 2016-11-22 23:07:47 -0500 )edit

Hi, Thanks for sharing the information! It worked for me without any issues on Ubuntu 16.04.2 LTS

ADhopate gravatar imageADhopate ( 2017-07-09 03:23:27 -0500 )edit

Work for Fedora 26!

Michel2018 gravatar imageMichel2018 ( 2017-09-11 04:01:19 -0500 )edit

answered 2016-11-28 04:06:49 -0500

pere gravatar image

These 3 commands worked for me:

cp -a VeriSign\ Root\ Certificates/Generation\ 5\ \(G5\)\ PCA/VeriSign\ Class\ 3\ Public\ Primary\ Certification\ Authority\ -\ G5.* /opt/Citrix/ICAClient/keystore/cacerts/
edit flag offensive delete link more


This was the easiest way to fix this issue, thanks. Unfortunately, not enough karma to upvote yet.

forcefsck gravatar imageforcefsck ( 2017-05-08 05:16:15 -0500 )edit

This worked for me too!

bombandealer gravatar imagebombandealer ( 2017-06-17 08:28:45 -0500 )edit

These steps worked like a charm for me too

bpleines gravatar imagebpleines ( 2018-06-11 09:44:20 -0500 )edit

answered 2016-01-29 23:14:32 -0500

obleeks gravatar image

Following are steps on CentOS 7 (Fedora and RedHat) to get rid of:: You have not chosen to trust "VeriSign Class 3 Public Primary Certification Authority - G5", the issuer of the server's security certificate (SSL error 61). If you are attempting to use a Citrix App:

If you start in your /home/[user name]/Downloads/ following along

sudo ln -s /usr/share/pki/* /opt/Citrix/ICAClient/keystore/cacerts/

Depends on save location and Mozilla FireFox location but I did default install and I am on FireFox 38.5.0 but this is the symbolic link so I do not have to worry about moving crap all the time


Downloading the current set of VeriSign Root Certificates from the source - clutch


Unzip it right to my current directory

cd VeriSign\ Root\ Certificates/


Verify you are were you should be

sudo mv /home/ {user_name} /Downloads/VeriSign\ Root\ Certificates/* /usr/share/pki/*

If you started in your home directory and the download section, you should have to change much but this immediately got me going even either I tried a whole bunch of other stuff I found on forums

edit flag offensive delete link more

answered 2018-01-29 03:08:50 -0500

rbnvrw gravatar image

I came across this question while googling and I found an easier answer. For me, it was enough to download just the "DigiCert Assured ID Root CA" from and placing it in the /opt/Citrix/ICAClient/keystore/cacerts/ directory.

edit flag offensive delete link more

Question Tools


Asked: 2013-10-30 17:33:20 -0500

Seen: 12,901 times

Last updated: Nov 03 '13