ThinLinX Support > ThinLinX Help Desk > Knowledgebase

Search help:

Why is my CA certificate not recognized/trusted?


If you encounter problems uploading a CA certificate to your TLXOS device, it is probably because it is in the wrong format.  There is a binary format (DER) and a text format (PEM/Base64) and TLXOS requires the text format.  If you are exporting a key from Windows you will need to select the Base64 option.

Note that the same Windows filename extension (.crt or .cer) is used for both formats and cannot be used to distinguish them.  TLXOS does not care what the filename extension is.

Please note also that if you are using an intermediate CA, you must upload certificates for both the intermediate CA and the root CA, in separate files.

If you are sure that you have uploaded the correct certificates in the correct format, check that your client has the correct time.  SSL negotiation will fail if the client thinks that the "valid from" date of the server's SSL certificate is implausible (a future date) or if it thinks that today's date is later than the server's certificate expiry date.  Your client must have a valid NTP time source; this is particularly important for the Raspberry Pi, which has no battery-backed clock and therefore will not remember the current date if power-cycled.

FYI, CA certificate management is a messy business in Linux, because even within a single Linux O/S there are multiple incompatible CA cert databases used by different applications (there is nothing like a common certificate store framework as there is on Windows).  Our "Install CA Cert" action has to update individual symlink hashes in /etc/ssl/certs (used by Citrix and most Debian apps) AND /etc/ssl/certs/ca-certificates.crt (used by Horizon Client) AND /home/tlx/.pki/nssdb/ (used by Chromium).

Related articles Frequently Asked Questions
Article details
Article ID: 21
Category: FAQ
Date added: 2019-05-29 04:03:56
Views: 168

« Go back