Citrix Studio: Cannot connect to vCenter server due to certificate error

If for any reason, you’ve changed the certificate on your vCenter server, existing Hosting connections in Citrix Studio will break.

You’ll be presented with an error on existing Hosting Connection or Machine Catalogs stating: “Cannot connect to the vCenter server due to a certificate error. Make sure that the appropriate certificates are installed on the VCenter server, and install the appropriate certificates on every controller in the site.

There are many KB articles, forum posts and blogs explaining how to solve this. One of the things which seems to be ommited (or not clearly stated) in these writings is ‘which’ certificate to import. Many articles point to the download certificate option on the default vCenter website

This doesn’t seem to be the correct certificate though. However, I can see where the confusion comes from. As the correct certificate is to be stored in the Trusted Root Certification Authorities, this download link will give you the root certificate of the vCenter server.

However, the certificate we need, is the last (or first, depending how you read the chain) certificate in the chain, the ‘host certificate‘ with the actual subject name of your vCenter. It’s this certificate which we need to install in the Trusted Root Certification Authorities (and Trusted People!). Although it doesn’t seem to make any sense to place this certificate in these Certificate Stores, it does work (for me that is). I assume you know how to install a certficate (otherwise any search engine is your best friend).

Once you’ve imported the certificates in the correct certificate stores (on every Desktop Delivery Controller!) you need to check whether the correct SSL Thumbprint is available in the XA/XD database (see also method 2 in this Citrix KB article). Open an admin POSH console, load the Citrix Modules (asnp citrix*) and cd to XDHyp:/Connections and run ls. Check the SSLThumbprints entry.

If it’s empty (or the wrong value), as in the above example, open your imported certificate, copy and paste the Thumbprint value into any texteditor, remove all spaces and convert the string into UPPERCASE.

If you’ve got the string available as mentioned above, you need to execute the following command in an administrative POSH console

Set-Item
Set-Item -LiteralPath “XDHyp:\Connections\%hostconnection%” -sslthumbprint “%value%” -hypervisorAddress https://vcenter.domain.local

Once executed, a ls on XDHyp:/Connections should show the correct SSLThumbprint value

If you open up Citrix Studio your Hosting Connection and Machine Catalog should show without error now

7 comments

  1. Mike Streetz says:

    The first cert in the chain is always the host cert and the last cert is always a CA.
    Windows displays the root cert at the top, but the chain starts from the bottom.
    So although you call out using the Host Cert, that is actually the first cert and not the last, which is counter intuitive given you need to put it in the Root CA folder.

    • Hi Mike, thanks for your reply. I couldn’t find much information on how to read the order of certificates, but I assume your right. Any source info on this is welcome.

      We reach the same conclusion though, that putting the host certificate in the Root CA folder is counter intuitive.

      • Mike Steetz says:

        Some references.

        https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
        https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/

        If you think about it in the order in which they appear in the chain file, the host cert is the first one there.

        I only mention it because Citrix Support now uses the contents of your article (uncredited I might add) when you call them with this issue and they tell you to install the last cert, so I installed the root cert and was still running into issues.

        • Hi Mike,

          I’ve gone through your references and granted, the order in both articles is top to bottom. Neither article refers to first and/or last though. The last article is actually ambigious about it: “Certificate 6, the one at the top of the chain (or at the end, depending on how you read the chain), is called root certificate.”

          My article however, clearly states that: “…the certificate we need, is the last certificate in the chain, the ‘host certificate’ with the actual subject name of your vCenter”. So no reference to the Root certificate

          Since Windows shows the certificate chain bottom to top, it might by confusing to certain people refering to first or last. So I will adapt my text with a link to your article. Thanks for your input

          Cheers,
          Misja

  2. hasan says:

    HI

    When I tried to update thumbprint power-shell throws an error prompting invalid credentials. Which credentials should I use? Im using a SQL server sysadmin role user and password

    • Hi Hasan,

      I’m not sure but I’d load a adminstrative POSH on your Desktop Delivery Controller, load the Citrix modules and execute the command without any credentials. See if that works for you.

      Regards,
      Misja

      • Mike Streetz says:

        I had the exact same error, even manually changing the thumbprint in the database wouldn’t fix it.
        I had to upgrade my whole site past 7.15 CU3 so it would prompt me to accept the thumbprint and when I looked in the database it was exactly the same as what I had in there manually.
        I have a case open with Citrix about it but you might have to upgrade to get around it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.