When configuring the certificate for the Citrix Secure Gateway Server, the following error message appears:

"The server certificate specified is unusable."

Solution 1

Ensure the Private key for the Certificate is available.

Solution 2

Ensure the permissions are correct for MachineKeys folders. The MachineKeys folder is located at the \All Users Profile\Application Data\Microsoft\Crypto\RSA folder. The following settings are the default permissions for the MachineKeys folder:

• Administrator (Full Control) This folder only
• Everyone (Special) This folder, subfolders, and files
• SYSTEM (Full Control) This folder, subfolders, and files

The Everyone group, select the following Special permissions:

• List Folder/Read Data
• Read Attributes
• Read Extended Attributes
• Create Files/Write Data
• Create Folders/Append Data
• Write Attributes
• Write Extended Attributes
• Read Permissions

For more information regarding the default permissions on MachineKeys folders, refer to this Microsoft article -Default permissions for the MachineKeys folders.

Problem Cause

Cause 1

The Server Certificates contained in the Local Computers Personal Store are queried.

The Private Key is not available.

See Page 17 and 95 of CTX112429 – Secure Gateway for Windows Administrator's Guide.
Page 17 - Improved certificate selection. The Secure Gateway Configuration wizard prevents the selection of a certificate that does not have a private key.
Page 95 - When you view the certificate, ensure that it contains a key icon and the caption “You have private key that corresponds to this certificate” at the bottom of the General tab. The lack of an associated private key can result in the CSG0188 error.

Cause 2

The permissions for MachineKeys folders (All Users Profile\Application Data\Microsoft\Crypto\RSA) are misconfigured.

Extracted from Page 85 of CTX112429 – Secure Gateway for Windows Administrator's Guide:

Certificate Requirements

Load balancing relies on the use of a virtual IP address. The virtual IP address is bound to an FQDN and all clients request connections from the virtual IP address rather than the individual servers running the Secure Gateway behind it. A single IP address, the virtual IP, acts as an entry point to your servers running the Secure Gateway, simplifying the way clients access Web content, published applications, and services on computers running Citrix Presentation Server. If you are using a load balancing solution, all servers running the Secure Gateway can be accessed using a common FQDN; for example, csgwy.company.com. In conclusion, you need a single server certificate, issued to the FQDN (mapped to the virtual IP or DNS name) of the load balancing server. The certificate must be installed on every server running the Secure Gateway in the server array that is being load balanced.