So I've been trying to convince my dad to get a PowerBook, so I had to convince him that Citrix would work since the hospital uses it. Thankfully, I got it working, and I thought I'd share the knowledge I gained with the world.
I appreciate that Citrix provides a client for OS X, but it would be nice if they would make it easier to set up. If you happen to use one of the bundled SSL authorities, it should work very well for you out of the box. Otherwise, you'll have to do some extra work in order to set them up, since there isn't a "trust this certificate" button, and it doesn't use OS X's native certificate management.
This is somewhat advanced and assumes you are familiar with working in a terminal and, to some degree, with SSL. However, if you get Error 183 from Citrix, and it babbles about something being "not trusted", this is probably your problem.
You need to put the DER-encoded public cert you want (with a .crt extension) in
/Applications/Citrix ICA Client/keystore/cacerts.
Presumably if you're reading this, you have some understanding about how SSL works: there's a public certificate issued by a Certificate Authority, or CA, and this is distributed with client programs. The CA issues private certificates to owners of websites, mail servers, and other services that they want to secure, and the clients check to see if the certificate the particular service they're using has is valid. The problem is that some programs aren't distributed with enough certificates, so you occasionally have to add them manually (this is also the case if you form your own CA). Doing battle with these certificates is, IMHO, a pain, so here's the short guide to converting certificates, with an emphasis on getting certs to work with the OS X Citrix client.
Firstly, you need to obtain the public certificate you want to add.
I attempted to get this information from OS X's "Keychain Access" utility, but found that I couldn't figure out how to get it to export Equifax's certificate (the one I needed).
Fortunately, other programs on OS X, including curl, have their own bundles of certificates.
If you look in /usr/share/curl/curl-ca-bundle.crt (MacOS 10.3), you'll find a decent bundle of certificates; find the one you want and grab the PEM data, like this:
-----BEGIN CERTIFICATE----- MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEFBQAw gYwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh a2UgQ2l0eTEYMBYGA1UEChMPWGNlcnQgRVogYnkgRFNUMRgwFgYDVQQDEw9YY2Vy dCBFWiBieSBEU1QxITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAe Fw05OTA3MTQxNjE0MThaFw0wOTA3MTExNjE0MThaMIGMMQswCQYDVQQGEwJVUzEN MAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxGDAWBgNVBAoT D1hjZXJ0IEVaIGJ5IERTVDEYMBYGA1UEAxMPWGNlcnQgRVogYnkgRFNUMSEwHwYJ KoZIhvcNAQkBFhJjYUBkaWdzaWd0cnVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCtVBjetL/3reh0qu2LfI/C1HUa1YS5tmL8ie/kl2GS+x24 4VpHNJ6eBiL70+o4y7iLB/caoBd3B1owHNQpOCDXJ0DYUJNDv9IYoil2BXKqa7Zp mKt5Hhxl9WqL/MUWqqJy2mDtTm4ZJXoKHTDjUJtCPETrobAgHtsCfv49H7/QAIrb QHamGKUVp1e2UsIBF5h3j4qBxhq0airmr6nWAKzP2BVJfNsbof6B+of505DBAsD5 0ELpkWglX8a/hznplQBgKL+DLMDnXrbXNhbnYId26OcnsiUNi3rlqh3lWc3OCw5v xsic4xDZhTnTt5v6xrp8dNJddVardKSiUb9SfO5xAgMBAAGjUzBRMA8GA1UdEwEB /wQFMAMBAf8wHwYDVR0jBBgwFoAUCCBsZuuBCmxc1bWmPEHdHJaRJ3cwHQYDVR0O BBYEFAggbGbrgQpsXNW1pjxB3RyWkSd3MA0GCSqGSIb3DQEBBQUAA4IBAQBah1iP Lat2IWtUDNnxQfZOzSue4x+boy1/2St9WMhnpCn16ezVvZY/o3P4xFs2fNBjLDQ5 m0i4PW/2FMWeY+anNG7T6DOzxzwYbiOuQ5KZP5jFaTDxNjutuTCC1rZZFpYCCykS YbQRifcML5SQhZgonFNsfmPdc/QZ/0qB0bJSI/08SjTOWhvgUIrtT4GV2GDn5MQN u1g+WPdOaG8+Z8nLepcWJ+xCYRR2uwDF6wg9FX9LtiJdhzuQ9PPA/jez6dliDMDD Wa9gvR8N26E0HzDEPYutsB0Ek+1f1eS/IDAE9EjpMwHRLpAnUrOb3jocq6mXf5vr wo3CbezcE9NGxXl8 -----END CERTIFICATE-----
Just put this in a text file, and name it
whateveryouwant.pem. Now you need to convert it to the DER
format:
openssl x509 -outform der -out certname.crt -in whateveryouwant.pem -inform pem
And once you've done that, you can make sure it's what you intended:
keytool -printcert -file <DER encoded cert file>
Now just copy the .crt file to /Applications/Citrix ICA Client/keystore/cacerts.