Android Citrix Receiver – Import Private Root Certificate

You might get SSL/TLS error when connecting to Xenapp/Xendesktop using CGW or SG. This could be because the Root certificate you use may not be trusted in Android.

Android smart phones & Tablets don’t have all the Root Certificate Authorities Trusted by default, also there would be cases where enterprises would like to use their own Root certificates.

We can import the required certificates to its cert store using the below procedure,

– You will need adb/android SDK to do this change, download it from 

– Import root certificate store from Android’s device file system

  • C:\android-sdk-windows\platform-tools> adb pull /system/etc/security/cacerts.bks cacerts.bks
– Import your private root certificate to the certstore just downloaded from Android device, To manipulate the keystore download the java archive and copy it to “c:\Program Files\Java\jre6\lib\ext” .
– Using Keytool in the JRE, below command would help to import the certificate to certstore downloaded from Android device.
  • C:\Program Files\Java\jre6\bin>keytool.exe -keystore <path to downloaded cert store from Android device> -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -alias DJ_ROOT -file <path to the private root certificate>
  • Say “Yes” to “Trust this Certificate”
– System partition of the Android device will be mounted as Read-Only, mount it as Read-Write to Export the modifed certstore to the Android device,
  • C:\android-sdk-windows\platform-tools>adb shell
  • #su
  • # mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
  • #exit
  • #exit
  • C:\android-sdk-windows\platform-tools>adb remount
  • C:\android-sdk-windows\platform-tools> adb push <path to modified cert store of Android device> system/etc/security
– Try initiating the Citrix Receiver, Should work without any warnings/errors.
Enjoy ICA Experience.