SSL Certificates play a big role in a Citrix Password Manager deployment. They help to ensure the password data in the central store is genuine and they also allow for encrypted communications between the Password Manager service and the Password Manager agent. There are lots of things that can go wrong with certificates that will stall your Password Manager deployment.

I recenty ran across this little gem:

[error] SSL Library Error 47 on pm.domain.com:443 with peer 10.20.30.40: An unclassified SSL network error occurred. (error code: error:1408A0C1:lib(20):func(138):reason(193))
[warn] SSL handshake from client failed

Well… now isn’t that just so helpful.  After verifying and re-verifying my certificate setup I wasn’t getting anywhere.  I ended up opening the httpd.conf file that the Citrix XTE service depends on and noticed a line near the bottom:

 #Allowed CipherSuite (ALL,COM,GOV)
SSLCipherSuite GOV

I didn’t go to the trouble to lookup what ‘exactly’ this means but I theorized that I don’t really want to limit what kind of SSL cipher I can use so why not change it to read:

 SSLCipherSuite ALL

After making that simple, three letter change, I was now able to hit the Citrix Password Manager service URL from a  web browser and I saw the SSL Error 47 messages in my error.log dissappear.

Hopefully this will save someone else the hours of troubleshooting that I spent on this one.