Remove Expired DigiCert Certificate

Symptoms

On March 8^th of 2023, devices with IGEL OS were unable to connect to specific services. This includes, but may not be limited to the following:

• Microsoft Azure Virtual Desktop (AVD)
• Citrix cloud infrastructure

Affected Versions

• All IGEL OS Public releases up to 11.08.230
• Some private builds based on 11.08.230

Cause

A copy of an expired DigiCert SHA-2 Secure Server CA intermediate certificate was included in the Citrix Workspace client for Linux that was integrated into IGEL OS.

Due to the prioritization of certificates in IGEL OS, this copy took precedence over the one included in the main IGEL OS operating system. Since the fingerprint of the valid certificate and the third-party certificate matched, the primary certificate was not loaded into the secure stores, and the applications were unable to utilize them.

Solution

Upgrade to the latest version of IGEL OS.

If this doesn't fix the Issue, a custom command can be deployed that will remove the expired DigiCert root certificate. IGEL has created a profile that contains the command, which you can download and deploy in your environment.

Prerequisites

• All affected devices are connected to the IGEL Universal Management Suite (UMS).
• No other custom commands are configured for the affected devices.

Removing the Expired Certificate

To make sure that everything works properly, test the fix on one or two devices before you deploy it on all affected devices.

1. In the UMS, review all affected devices and make sure that the following fields do not contain any commands:
   System > Firmware Customization > Custom Commands > Desktop > Before Desktop Start
   System > Firmware Customization > Custom Commands > Reconfiguration section
   
   
2. Download the profile IGEL_AVD_fix-authentication-issue.zip and make it available to the machine that hosts your UMS.
   
   
3. In the UMS console, click System > Import > Import Profiles.
   
   
   
4. Select the profile on your file system and click Open.
   
   
   
5. If this dialog appears, click Ok. Explanation: The profile is based on IGEL OS 11.11.08.230, but this version is not registered in your UMS. To resolve this conflict, your UMS will modify the profile accordingly; the profile is then based on an IGEL OS version that is known to your UMS.
   
   
   
   
6. Assign the profile to the affected devices.
   
   
   
   
7. In the Update time dialog, select Now.
   
   
   
8. Reboot the devices.
   
   
   

Installing the New Certifcate

1. Open https://www.digicert.com/kb/digicert-root-certificates.htm, look for the certificate with the following data, and download it. 
   

   Issuer: DigiCert Global Root CA 

   Valid until 22/Sep/2030 

   Serial #: 02:74:2e:aa:17:ca:8e:21:c7:17:bb:1f:fc:fd:0c:a0 

   SHA1 Fingerprint: : 62:6D:44:E7:04:D1:CE:AB:E3:BF:0D:53:39:74:64:AC:80:80:14:2C 

   SHA256 Fingerprint: C1:AD: 77:78:79:6D:20:BC:A6:5C:88:9A:26:55:02:11:56:52:8B:B6:2F:F5:FA:43:E1:B8:E5:A8:3E:3D:2E:AA
   
   

2.  In the UMS console, select Files > New file.
   
   
   
3. Select Upload local file to UMS server and get the certificate file from your file system.
   
   
   
   
4. Set the Classification to Common Certificate (all Purpose).
   
   
   
5. Click Ok to upload the certificate file to the UMS server.
   
   
   
6. Assign the certificate to the affected devices.
   
   
   
   
7. In the Update time dialog, select Now.
   
   The certificate is transferred to the devices.