Installing certificates for Citrix CloudGateway/AppController 2.5 with IE on Server 2012 – “Import certificate failed”

After release 2.5 of Citrix AppController (Part of CloudGateway) I installed it into my virtual environment. After the basic configurations I tried to install the server certificate for the given hostname. For this I used the admin website at one of my infrastructure server (Windows Server 2012) https://<appcontroller-fqdn>:4443 and navigated to: Settings, Certificates, Import, Server (.pfx):

clip_image002

After selecting the right server certificate (here: World-Server-private.p12, p12 and pfx are equivalent) I typed the password for the certificate and got an error message: Import certificate failed:

clip_image003

At the AppController virtual appliance I found the following error message:

com.citrix.cg.rest.RestCertificate:Error: 708 message: Import certificate failed.

Later I tried to install the server certificate with Internet Explorer (same version) from my client running Windows 8. I was wondering because the import of the certificate worked.

I spent a lot of time to find out, why it is as it is. Using Internet Explorer’s debug mode (F12) I found a function called “Certificate.onUploadCertificate”. This function remove the path of the given certificate file (from C:\MyData\certificate.p12 to certificate.p12). This filename is send to the AppController. In my case Internet Explorer 10 on Window Server 2012 doesn’t execute this function and sends [filename="C:\MyData\certificate.p12"] (instead of [filename="certificate.p12"]) to the AppController. In this case the import process failed.

After comparing the Internet Explorer settings between my Windows 8 and Server 2012 (and some other debugging tasks) I found out that the following setting fix this problem:

In Internet Explorer go to the Internet Options, Security, Internet (!), Custom level…, Scripting, Active scripting and change it to “Prompt” – in Server 2012 “Disabled” is default.

It’s important to change the Internet security zone even if you put your AppController into the trusted sites. If the build-in certificate is not valid (example.com) Internet Explorer will use the settings from the Internet zone configuration.

Restart Internet Explorer.

If you now try to import the certificate you got a prompt to allow active scripting and after this you can import you certificate.