Reset Search
 

 

Article

KB40171 - Certificate warning is displayed that "The Certificate is not Trusted" when launching PSAL or Pulse Desktop client.

« Go Back

Information

 
Last Modified Date6/20/2017 1:22 AM
Synopsis
This article describes an issue that occurs when launching PSAL or the Pulse Desktop client where a certificate warning is displayed that “The Certificate is not Trusted” even though the certificate is valid and the name on the certificate is valid.
Problem or Goal
When connecting to a PCS server using PSAL or Pulse Desktop client, a certificate warning is generated with the following certificate status:
 
There is a problem with the site's security certificate.

The certificate is valid.

The name on the certificate is valid.
Screenshot of certificate warning:

User-added image
  • The security warning is only seen the first time PSAL is used to connect to the server
  • The security warning is seen every time Pulse Desktop client is launched. 
  • If a browser supporting ActiveX or Java is used to connect to the same server URL, there are no security warnings displayed. 
 

 

Cause
This issue occurs due the following changes with Windows certificate management procedures and affects PSAL and PDC in the following ways:
  • Starting with the release of Windows Vista, the default list of Certificate Authorities that get included in the Windows Trusted Root Certificate store has been reduced in order to increase performance while validating certificates.
  • Certificate authorities submit their requests for inclusion to Microsoft through the "Microsoft Root Certificate Program".  
  • During certificate validation, if the certificate chain leads to a root CA that is not found in the trusted root certificate store but it is in the root program, Windows will automatically download and install the root CA in real-time without prompting the user, thereby completing the chain up to the trusted root CA.  
  • Refer to http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/ for more details.
  • During certificate verification with PSAL, there are some cases where the detection of the missing CA's occurs before the Root CA's are downloaded to the Windows certificate store.
  • With Pulse Desktop client there is no browser involved so Windows does not will not start the download of the Certificate Trust List (CTL) containing Windows approved CAs and the warning will be displayed for each connection attempt until the CA for the PCS device certificate is installed on the client.

The chances that a user using PSAL will experience this issue are low because of the following factors:
  • Users will only see the security warning if PSAL is used to connect to a PCS gateway from a client PC that does not already have the trusted root CA in its certificate store.
  • It is more likely that users will have already connected to the PCS gateway via a browser session before launching PSAL, which eliminates any chance of the security warning getting generated by PSAL.  
  • PSAL will only display this security warning the first time the user connects to the Secure Gateway since Windows will download and install the missing trusted root CA in the machine's certificate store and with subsequent connections using PSAL, the certificate chain will be validated up to the root.
  • The security warning does not prevent the user from proceeding with the PSAL connection and the connection will still be encrypted.
Solution
  • For Pulse Desktop, affected users can use a browser to access the PCS URL which would trigger the download of the CTL, otherwise the CA will need to be imported into the client Trusted Root CA store.
  • This can be achieved using the Certificate snap-in in the Microsoft Management Console (MMC) program. 
  • Administrators can also control how clients obtain the CTL, see this Microsoft article on how to Configure Trusted Roots and Disallowed Certificates.
If the problem persists after the CA is installed, navigate to https://cryptoreport.websecurity.symantec.com/checker/ and enter the domain name of the Pulse Connect Secure or Pulse Policy Secure device.  If the website states an intermediate certificate is missing, please contact the certificate authority to obtain the proper chain.  For information how to install intermediate certificates on a Pulse Connect Secure or Pulse Policy Secure device, please refer to the admin guide.
Related Links
Attachment 1 
Created ByRaghu Kumar

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255