Citrix Studio: Cannot connect to vCenter server due to certificate error

If for any reason, you’ve changed the certificate on your vCenter server, existing Hosting connections in Citrix Studio will break.

You’ll be presented with an error on existing Hosting Connection or Machine Catalogs stating: “Cannot connect to the vCenter server due to a certificate error. Make sure that the appropriate certificates are installed on the VCenter server, and install the appropriate certificates on every controller in the site.

There are many KB articles, forum posts and blogs explaining how to solve this. One of the things which seems to be ommited (or not clearly stated) in these writings is ‘which’ certificate to import. Many articles point to the download certificate option on the default vCenter website

This doesn’t seem to be the correct certificate though. However, I can see where the confusion comes from. As the correct certificate is to be stored in the Trusted Root Certification Authorities, this download link will give you the root certificate of the vCenter server.

However, the certificate we need, is the last certificate in the chain, the ‘host certificate’ with the actual subject name of your vCenter. It’s this certificate which we need to install in the Trusted Root Certification Authorities (and Trusted People!). Although it doesn’t seem to make any sense to place this certificate in these Certificate Stores, it does work (for me that is). I assume you know how to install a certficate (otherwise any search engine is your best friend).

Once you’ve imported the certificates in the correct certificate stores (on every Desktop Delivery Controller!) you need to check whether the correct SSL Thumbprint is available in the XA/XD database (see also method 2 in this Citrix KB article). Open an admin POSH console, load the Citrix Modules (asnp citrix*) and cd to XDHyp:/Connections and run ls. Check the SSLThumbprints entry.

If it’s empty (or the wrong value), as in the above example, open your imported certificate, copy and paste the Thumbprint value into any texteditor, remove all spaces and convert the string into UPPERCASE.

If you’ve got the string available as mentioned above, you need to execute the following command in an administrative POSH console

Set-Item -LiteralPath “XDHyp:\Connections\%hostconnection%” -sslthumbprint “%value%” -hypervisorAddress https://vcenter.domain.local

Once executed, a ls on XDHyp:/Connections should show the correct SSLThumbprint value

If you open up Citrix Studio your Hosting Connection and Machine Catalog should show without error now

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.