Installing certificates for Citrix CloudGateway/AppController 2.5 with IE on Server 2012 – “Import certificate failed”
After release 2.5 of Citrix AppController (Part of CloudGateway) I installed it into my virtual environment. After the basic configurations I tried to install the server certificate for the given hostname. For this I used the admin website at one of my infrastructure server (Windows Server 2012) https://<appcontroller-fqdn>:4443 and navigated to: Settings, Certificates, Import, Server (.pfx):
After selecting the right server certificate (here: World-Server-private.p12, p12 and pfx are equivalent) I typed the password for the certificate and got an error message: Import certificate failed:
At the AppController virtual appliance I found the following error message:
com.citrix.cg.rest.RestCertificate:Error: 708 message: Import certificate failed.
Later I tried to install the server certificate with Internet Explorer (same version) from my client running Windows 8. I was wondering because the import of the certificate worked.
I spent a lot of time to find out, why it is as it is. Using Internet Explorer’s debug mode (F12) I found a function called “Certificate.onUploadCertificate”. This function remove the path of the given certificate file (from C:\MyData\certificate.p12 to certificate.p12). This filename is send to the AppController. In my case Internet Explorer 10 on Window Server 2012 doesn’t execute this function and sends [filename="C:\MyData\certificate.p12"] (instead of [filename="certificate.p12"]) to the AppController. In this case the import process failed.
After comparing the Internet Explorer settings between my Windows 8 and Server 2012 (and some other debugging tasks) I found out that the following setting fix this problem:
In Internet Explorer go to the Internet Options, Security, Internet (!), Custom level…, Scripting, Active scripting and change it to “Prompt” – in Server 2012 “Disabled” is default.
It’s important to change the Internet security zone even if you put your AppController into the trusted sites. If the build-in certificate is not valid (example.com) Internet Explorer will use the settings from the Internet zone configuration.
Restart Internet Explorer.
If you now try to import the certificate you got a prompt to allow active scripting and after this you can import you certificate.