Hotfix Installation Fails if the Update Root Certificates Feature in Windows Server 2008 Cannot Automatically Update the Root Certificates

Hotfix Installation Fails if the Update Root Certificates Feature in Windows Server 2008 Cannot Automatically Update the Root Certificates

book

Article ID: CTX129998

calendar_today

Updated On:

Description

If the Update Root Certificate feature of Windows 2008 cannot automatically retrieve or update the root certificates, the VeriSign root certificate used to sign the revised Citrix digital certificate is not available on the system. As a result, the IMA Service fails to start during hotfix installation, which causes the installation to fail. Reasons for why the feature cannot automatically retrieve or update the root certificates include lack of Internet connection or the presence of a Group Policy disabling the feature.

For XenApp 5 hotfixes, the following error message appears:

“Error 26005. Could not start IMA Service in CTX_IMA_StartIMAService State = 1”

User-added image

Note that the installer rollback also fails and you may have to reconfigure the system.

Resolution

Verifying that a valid root certificate is installed

Before installing the hotfix, verify the following options on the target server. If “Windows does not have enough information to verify this certificate” appears in the following Step 4, the preceding problem is likely to occur.

  1. Right-click the hotfix package and select Properties from the context menu.

  2. Open the Digital Signatures tab.

  3. Select Citrix Systems, Inc. in the signer’s list, and then click Details.

  4. In the Digital Signature Details dialog box, click View Certificate.Windows does not have enough information to verify this certificate appears.

User-added image

Workaround 1

Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:
Certificate Support and Resulting Internet Communication in Windows Server 2008

Workaround 2

If the Update Root Certificate feature cannot automatically update the root certificates, install the necessary VeriSign root certificates manually using the following steps before installing the hotfix.

You will need to download the following root certificates prior to certificate installation.

  1. Access the Download VeriSign, GeoTrust, and Thawte Primary PCA Root Certificates page at the following URL: https://www.symantec.com/theme/roots

  2. Go to the VeriSign Root Package section and click Download a root package to download the roots.zip archive.

To manually install the root certificate:

  1. Extract the roots.zip archive.

  2. Search and double-click VeriSign Class 3 Public Primary Certification Authority - G5.cer in the Generation 5 (G5) PCA folder and click Install Certificate to open the Certificate Import Wizard. Click Next.

  3. Click Next. On the Certificate Store wizard page, click Place all certificates in the following store and then click Browse.

  4. In the Select Certificate Store dialog box, select the Show physical stores checkbox and click the Local Computer node under Trusted Root Certification Authorities. Click OK.

User-added image

  1. Click Next and then Finish to complete the certificate installation.

  2. To confirm that the certificate was installed successfully, repeat Verifying that a valid root certificate is installed .

User-added image

  1. Install the hotfix.

    Problem Cause

    Citrix regularly renews the code signing certificate. The VeriSign root certificate used to sign the new Citrix certificate in 2011 is different from the previous VeriSign root certificate. When installing a hotfix that is digitally signed with this new Citrix certificate, Windows attempts to download the necessary root certificate during the certificate chain validation if the root certificate is not installed on the system. However, if the Update Root Certificate feature cannot automatically retrieve the necessary root certificates, the certificate validation fails. As a result, the IMA Service fails to start during hotfix installation, which causes the installation to fail. Reasons the feature cannot automatically retrieve or update the root certificates include a lack of an internet connection or the presence of a Group Policy disabling the feature.

    Specifically, when the IMA Service starts up, several modules used by the service are verified with the Citrix certificate signature. It is during this verification process that the certificate chain is being validated. If the root certificate for the signed certificate is not found, the certificate chain becomes invalid and is considered improperly signed. As a result, the modules are considered improperly signed as well, and the IMA Service fails to start. Even after the hotfix is installed, this Citrix certificate signature verification is performed each time the IMA Service starts. Thus, the VeriSign root certificate of the new Citrix certificate must be installed on the system even after you install the hotfix.

    Issue/Introduction

    This article provides resolution when the VeriSign root certificate used to sign the revised Citrix digital certificate is not available on the system.

    Additional Information

    Certificate Support and Resulting Internet Communication in Windows Server 2008


     

    Powered by Wolken Software