NetScaler SSL certificate untrusted – SSL Error 61 SHA2


Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp server. SSL Error 61: You have not chosen to trust “Certificate”, the issuer of the server’s security certificate.

If users report they get the above message when trying to launch a published application or desktop via NetScaler Gateway it may be because the certificate you have installed on the NetScaler Gateway is of the SHA2 family and the user is still using an old version of Citrix Receiver.

Since 2014 the likes of Google and Microsoft announced that they would begin to deprecate SHA1 on their web browsers which may cause browser compatibility issues with websites still using SHA1. The reason for the deprecation was because whilst the majority of websites used SHA1 it was weak and prone to attack.

This move prompted companies to upgrade their certificates to SHA2 which many of the SSL vendors allowed free of charge. Microsoft announced that after 1st January 2017 their Windows platform will stop accepting SHA1 certificates. This also relates to SHA1 intermediate certificates as these need upgrading also.

Citrix Receiver supports SHA2 as of 25th February 2014 in versions such as Receiver 3.4 Enterprise, Receiver 4.1 for Windows, Mac 11.8.2 for Mac. If you are using older clients and your NetScaler Gateway is using a SHA2 certificate you may get the error stated above.

Simple fix, keep your Receiver client up to date!

P.s. I have also experience users getting The connection to “Resource Name” failed with status (1030). This error can generally be related to firewall ports being blocked between client and VDA but in this case it was also certificates. User was using an old version of online plug-in.

Leave a Reply