Jump to content
Welcome to our new Citrix community!

HTTPS to HTTP redirection because of untrusted certificate

Recommended Posts

Hi everybody,


Yes you read right, I'm not making a huge mistake ;-)

Let' me explain my case: my customer has legacy Windows XP Embedded thin client with the Citrix Online Plugin and a https url configured on it, pointing to a Storefront VIP hosted on our Netscaler.


We are using Citrix XenApp 7.9 with Storefront Loadbalanced by the Netscaler. We configured 2 years ago the https url on our thin client with success.


The problem is that the wildcard certificate is going to expire in 10 days from now. The thin clients do not trust the new wildcard certificate because of a old root CA (no windows update possible as you know...)

My customer tried to install the new root CA manually on some thin clients but the certificate seems to disappear randomly. The manufacteur, Itium told us that it could be because of a bug in the syslock process on the thin client.


Anyway, I'm trying to find a solution : the quickly one seemed to me to change on my storefront the base url to HTTP and to create a responder on the netscaler which will redirect all HTTPS request to HTTP ones.....

But when I will replace the new certificate on the Netscaler what if the SSL Handshake fails beetween my thin client and my Netscaler ? I think that the responder or redirect requests will not function...


Do you think it would be possible to:

- Not change the url configured on the 800 thin client (we do not have enought time to do this)

- Intercept all the https request without the SSL Handshake and redirect them to ours storefront servers which will be configured with a HTTP Base url


If you think to another solution.....


Thank you for your help !





Link to comment
Share on other sites

Hi Fred,


When we have a http request coming in to the LB we create a dummy HTTP LB and configure a redirect URL (a https:// url). So when a user tries to access http://vip then it redirects to https://vip. Now I would like to try the reverse of the same. I tested with IP's and see it is working however the handshake will occur in this case. So if you can continue with the same cert you may achieve the desired. Try testing .



Link to comment
Share on other sites

If clients are configured with https url, then SSL handshake has to happen before http (redirect) kicks in, there is simply no way around that.

*If* your OLD CA is still alive or you have the private key of the CA cert there is hope, or see what CAs are already there on the client and if possible get a cert signed by one of those.


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...