I’m doing a bit of work for a client and they run this crazy Citrix Metaframe thing, which I’ve heard of but never used before. It’s like a remote access tool / website wrapped in java applets and special clients and all sorts of other whizbangerry.
But I had a problem connecting to it. It would load a java applet and then Java would die when initializing with the following error. I’m running the latest Sun Java 6 u16.
A local security certificate could not be loaded. (error code: 7)
at com.citrix.sdk.security.ssl.ConnectionModel.addCACertificate(ConnectionModel.java)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.citrix.client.io.net.ip.m.h(Unknown Source)
at com.citrix.client.io.net.ip.proxy.i.(Unknown Source)
at com.citrix.client.io.net.ip.g.a(Unknown Source)
at com.citrix.client.io.net.ip.o.a(Unknown Source)
at com.citrix.client.module.td.tcp.TCPTransportDriver.t(Unknown Source)
at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
at java.lang.Thread.run(Thread.java:619)
Caused by: The SSL cryptography library failed. The security certificate "America Online Root Certification Authority 2" has a public key of length greater than 2048 bit.
at com.citrix.sdk.security.certificate.X509CertificateLoader.loadCertificates(X509CertificateLoader.java)
It’s about identical to this unsolved post at Ubuntu launchpad too. The certificates for a simple client JRE are stored in the cacerts file which lives in jre/lib/security/cacerts . It looks as if the root certificate for AOL is too long or recently updated or something and it’s not playing nicely with MetaFrame. So somehow we have to ditch that root cert. It would only really be a problem if we are unlucky enough to have our certificate signed by that root CA.
I assumed that MetaFrame worked on older jres and that the problem is that I am using a brand new one. So luckily Sun keep an archive of old JDKs and JREs here. So it is quite simple, download an install an old JRE (I got 5u1) and rip the cacerts file out of there and dump it into your new JRE’s directory and try it again. Worked like a charm for me. You probably don’t want to do this permanently (I guess they updated the cacerts file for a reason?) but if you really need to log into MetaFrame, it’ll do.
One Response to The security certificate “America Online Root Certification Authority 2” has a public key of length greater than 2048 bit.