Installing certificates for Citrix CloudGateway/AppController 2.5 with IE on Server 2012 – “Import certificate failed”

After release 2.5 of Citrix AppController (Part of CloudGateway) I installed it into my virtual environment. After the basic configurations I tried to install the server certificate for the given hostname. For this I used the admin website at one of my infrastructure server (Windows Server 2012) https://<appcontroller-fqdn>:4443 and navigated to: Settings, Certificates, Import, Server (.pfx):

clip_image002

After selecting the right server certificate (here: World-Server-private.p12, p12 and pfx are equivalent) I typed the password for the certificate and got an error message: Import certificate failed:

clip_image003

At the AppController virtual appliance I found the following error message:

com.citrix.cg.rest.RestCertificate:Error: 708 message: Import certificate failed.

Later I tried to install the server certificate with Internet Explorer (same version) from my client running Windows 8. I was wondering because the import of the certificate worked.

I spent a lot of time to find out, why it is as it is. Using Internet Explorer’s debug mode (F12) I found a function called “Certificate.onUploadCertificate”. This function remove the path of the given certificate file (from C:\MyData\certificate.p12 to certificate.p12). This filename is send to the AppController. In my case Internet Explorer 10 on Window Server 2012 doesn’t execute this function and sends [filename="C:\MyData\certificate.p12"] (instead of [filename="certificate.p12"]) to the AppController. In this case the import process failed.

After comparing the Internet Explorer settings between my Windows 8 and Server 2012 (and some other debugging tasks) I found out that the following setting fix this problem:

In Internet Explorer go to the Internet Options, Security, Internet (!), Custom level…, Scripting, Active scripting and change it to “Prompt” – in Server 2012 “Disabled” is default.

It’s important to change the Internet security zone even if you put your AppController into the trusted sites. If the build-in certificate is not valid (example.com) Internet Explorer will use the settings from the Internet zone configuration.

Restart Internet Explorer.

If you now try to import the certificate you got a prompt to allow active scripting and after this you can import you certificate.

++++ Wir suchen Verstärkung ++++ Arbeitskultur, IT Kompetenz und Innovation werden bei sepago zum Wohle unserer Mitarbeiter und Kunden maximal gefördert. Das ist der Sinn der sepago. Wenn Dich das anspricht, dann schau doch mal im Karrierebereich.

Citrix Competence Blog

Der optimale Einsatz der Citrix Produktpalette steht seit Jahren Im Fokus der sepago Beratungsdienstleistung. In diesem Blog berichten wir über neue Trends, technische Details und unsere Erfahrungen aus vielen Citrix Projekten.

RSS-FeedAlle Artikel des Competence Blogs abonnieren.

 

About the author

Bild von Marcel Meurer
Marcel Meurer
Abteilungsleiter Consulting Services

All articles