Citrix Studio: Cannot connect to vCenter server due to certificate error

If for any reason, you’ve changed the certificate on your vCenter server, existing Hosting connections in Citrix Studio will break.

You’ll be presented with an error on existing Hosting Connection or Machine Catalogs stating: “Cannot connect to the vCenter server due to a certificate error. Make sure that the appropriate certificates are installed on the VCenter server, and install the appropriate certificates on every controller in the site.

There are many KB articles, forum posts and blogs explaining how to solve this. One of the things which seems to be ommited (or not clearly stated) in these writings is ‘which’ certificate to import. Many articles point to the download certificate option on the default vCenter website

This doesn’t seem to be the correct certificate though. However, I can see where the confusion comes from. As the correct certificate is to be stored in the Trusted Root Certification Authorities, this download link will give you the root certificate of the vCenter server.

However, the certificate we need, is the last (or first, depending how you read the chain) certificate in the chain, the ‘host certificate‘ with the actual subject name of your vCenter. It’s this certificate which we need to install in the Trusted Root Certification Authorities (and Trusted People!). Although it doesn’t seem to make any sense to place this certificate in these Certificate Stores, it does work (for me that is). I assume you know how to install a certficate (otherwise any search engine is your best friend).

Once you’ve imported the certificates in the correct certificate stores (on every Desktop Delivery Controller!) you need to check whether the correct SSL Thumbprint is available in the XA/XD database (see also method 2 in this Citrix KB article). Open an admin POSH console, load the Citrix Modules (asnp citrix*) and cd to XDHyp:/Connections and run ls. Check the SSLThumbprints entry.

If it’s empty (or the wrong value), as in the above example, open your imported certificate, copy and paste the Thumbprint value into any texteditor, remove all spaces and convert the string into UPPERCASE.

If you’ve got the string available as mentioned above, you need to execute the following command in an administrative POSH console

Set-Item
Set-Item -LiteralPath “XDHyp:\Connections\%hostconnection%” -sslthumbprint “%value%” -hypervisorAddress https://vcenter.domain.local

Once executed, a ls on XDHyp:/Connections should show the correct SSLThumbprint value

If you open up Citrix Studio your Hosting Connection and Machine Catalog should show without error now

12 comments

  1. Mike Streetz says:

    The first cert in the chain is always the host cert and the last cert is always a CA.
    Windows displays the root cert at the top, but the chain starts from the bottom.
    So although you call out using the Host Cert, that is actually the first cert and not the last, which is counter intuitive given you need to put it in the Root CA folder.

    • Hi Mike, thanks for your reply. I couldn’t find much information on how to read the order of certificates, but I assume your right. Any source info on this is welcome.

      We reach the same conclusion though, that putting the host certificate in the Root CA folder is counter intuitive.

      • Mike Steetz says:

        Some references.

        https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
        https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/

        If you think about it in the order in which they appear in the chain file, the host cert is the first one there.

        I only mention it because Citrix Support now uses the contents of your article (uncredited I might add) when you call them with this issue and they tell you to install the last cert, so I installed the root cert and was still running into issues.

        • Hi Mike,

          I’ve gone through your references and granted, the order in both articles is top to bottom. Neither article refers to first and/or last though. The last article is actually ambigious about it: “Certificate 6, the one at the top of the chain (or at the end, depending on how you read the chain), is called root certificate.”

          My article however, clearly states that: “…the certificate we need, is the last certificate in the chain, the ‘host certificate’ with the actual subject name of your vCenter”. So no reference to the Root certificate

          Since Windows shows the certificate chain bottom to top, it might by confusing to certain people refering to first or last. So I will adapt my text with a link to your article. Thanks for your input

          Cheers,
          Misja

  2. hasan says:

    HI

    When I tried to update thumbprint power-shell throws an error prompting invalid credentials. Which credentials should I use? Im using a SQL server sysadmin role user and password

    • Hi Hasan,

      I’m not sure but I’d load a adminstrative POSH on your Desktop Delivery Controller, load the Citrix modules and execute the command without any credentials. See if that works for you.

      Regards,
      Misja

      • Mike Streetz says:

        I had the exact same error, even manually changing the thumbprint in the database wouldn’t fix it.
        I had to upgrade my whole site past 7.15 CU3 so it would prompt me to accept the thumbprint and when I looked in the database it was exactly the same as what I had in there manually.
        I have a case open with Citrix about it but you might have to upgrade to get around it.

  3. Denis Crowley says:

    This is the one and only solution to this issue
    Note:

    Set-Item -LiteralPath “XDHyp:\Connections\%hostconnection%” -sslthumbprint “%value%” -hypervisorAddress https://vcenter.domain.local

    Take the info for the command to run from the ls output
    1. replace %hostconection% with the name of your connection in studio
    2. replace values with the right thumbprint
    3. replace the https://vcenter… with exactly what it says in the ls output (for me it was an ip address
    4. If you copy paste the command replace the quotation marks with your own ones. POSH does not like copy.paste quotation marks.

    Worked a dream for me Misja thanks

    Fianlly: don’t overstress the certs. download the new vCenter cert and install it everyehere. once the thumbprint is updated it will work

  4. Igor says:

    Hi,

    I installed the new certificate and I continue with out connection with the VCenter. I see that the thumbprint is different to my new certificate. If I use the command to change the thumbprint, I get an error message: “Cannot connect to the VCenter server due to a certificate error”…

    Any help?

    Regards.

    • Hi Igor, it seems to me you’ve missed to install the right certificate somewhere. Please follow all steps outlined above to the letter.

      Regards,
      Misja

      • Igor says:

        Hi,

        Thanks for you answer.
        The certificate I installed is the one I can download from the vcenter webpage, from the secure locker.

        Regards.

        • Igor says:

          Hi,

          I used the same command but with my credentials (citrix admin) as parameters, and now it works. Thanks for your help.

          Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.