Ask a Question

Advanced Search

Solution ID : SO5556

Last Modified : 06/12/2019

Error: Certificate Upgrade Failed when installing SSL Certificate in Citrix Access Gateway


Unable to install SSL certificate on Citrix Access Gateway.

Error Message

When installing {SSL.EN_US} certificate to Citrix Access Gateway one of the following errors may occur.

  • Certificate Upgrade Failed
  • 65541:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:383

    "controller:upgraded: : failed to upgrade certificate. (Verification failure)."

    "controller:service:xfer:: unable to xfer certificate file.."


This error may occur when any of the following conditions are true:

  • The signed SSL certificate is in the wrong format.
  • The private key generated locally on the Access Gateway does not match the corresponding signed SSL certificate.


In order to resolve this issue when installing SSL certificate in Citrix Access Gateway, follow the steps below.
Step 1: Download the SSL & Intermediate CA Certificate
  1. Download the certificate from Symantec Trust Center account.
  2. The ZIP file you downloaded contains the following certificates:
    Note: Select the server platform as Citrix > Access Gateway Enterprise Edition Appliance when downloading the certificate.
    • SSL certificate (i.e. ssl_certificate.crt, also known as end entity certificate, public key certificate, digital certificate or identity certificate).
    • Intermediate CA certificate (i.e. IntermediateCA.crt, also known as chained certificate or signer/issuer of the SSL certificate).
  3. Unzip the files onto the server where you will install the certificate.

Step 2: Install the SSL Certificate

  1. Using WinSCP or any other secure FTP client, connect to the Access Gateway and log on as nsroot.
  2. Upload the agee.cer file to the /nsconfig/ssl directory
  3. In the GUI configuration manager, go to SSL > Certificates and click Add.

  4. In the Certificate-Key Pair Name field, type a descriptive name for this certificate entity, for example:
  5. For File Location select the Remote System radio button.
  6. For Certificate Filename, click Browse and locate the ssl_certificate.crt file you obtained in Step 1 
  7. For the Key Filename browse to the corresponding Private Key and enter the PEM passphrase
  8. Keep PEM selected as the format.
  9. Click Install and then Close.
  10. After a few seconds, the certificate entity should appear in the background. Click Close. Your certificate can now be used.

Step 3: Install the Intermediate CA Certificate

  1. Using WinSCP transfer the intermediate certificate to the /nsconfig/ssl directory
  2. Log in to the Configuration utility of the appliance.
  3. Expand the SSL node.
  4. Click Certificates.
  5. On the SSL Certificates page, click Add.
  6. Specify the appropriate values in the various fields of the Install Certificate dialog box. The following screenshot displays the sample values for your reference.

  7. Click Install.
  8. On the SSL Certificates page, select the server certificate to which you want to link the intermediate certificate (obtained from Step 1).
    Note: Link the server certificate to the Intermediate CA certificate.
  9. Click Link.

  10. From the CA Certificate Name list, select the required intermediate certificate, as shown in the following screenshot.

  11. Verify the certificate installation using the DigiCert Installation Checker

If the certificate installation failed due to the private key & SSL certificate mismatch, you must replace the SSL certificate.



        For more information, visit Citrix Support.