Reset Search
 

 

Article

KB40171 - Pulse Secure Application Launcher (PSAL) displays security warning "The Certificate is not Trusted" when connecting to Pulse Connect Secure device

« Go Back

Information

 
Last Modified Date6/20/2017 1:22 AM
Synopsis
This article describes an issue where PSAL is prompting with a message “The Certificate is not Trusted”.
Problem or Goal
When connecting to a PCS server using PSAL, a certificate warning states the server certificate is not trusted, even though the certificate is valid.  The security warning is only seen the first time PSAL is used to connect to the server.

If a browser supporting ActiveX or Java is used to connect to the same server URL, there are no security warnings displayed.
 

 

Cause
Starting with the release of Windows Vista, the default list of Certificate Authorities that get included in the Windows Trusted Root Certificate store has been reduced in order to increase performance while validating certificates.  Certificate authorities submit their requests for inclusion to Microsoft through the "Microsoft Root Certificate Program".  During certificate validation, if the certificate chain leads to a root CA that is not found in the trusted root certificate store but it is in the root program, Windows will automatically download and install the root CA in real-time without prompting the user, thereby completing the chain up to the trusted root CA.  

Refer to http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/ for more details.
 
This process is also used during certificate verification with PSAL, however, in some cases, the detection of the missing root CA by PSAL occurs before Windows is done downloading and installing the trusted Root CA in the user's certificate store which causes the security warning to be generated by PSAL.  Once the certificate is installed, PSAL will use the root CA to validate the certificate chain and will no longer display the security warning.
Solution
The chances that a user will experience this issue are low because of the following factors:
  • Users will only see the security warning if PSAL is used to connect to a PCS gateway from a client PC that does not already have the trusted root CA in its certificate store.
  • It is more likely that users will have already connected to the PCS gateway via a browser session before launching PSAL, which eliminates any chance of the security warning getting generated by PSAL.  
  • PSAL will only display this security warning the first time the user connects to the Secure Gateway since Windows will download and install the missing trusted root CA in the machine's certificate store and with subsequent connections using PSAL, the certificate chain will be validated up to the root.
  • The security warning does not prevent the user from proceeding with the PSAL connection and the connection will still be encrypted.
If the problem persists, navigate to https://cryptoreport.websecurity.symantec.com/checker/ and enter the domain name of the Pulse Connect Secure or Pulse Policy Secure device.  If the website states an intermediate certificate is missing, please contact the certificate authority to obtain the proper chain.  For information how to install intermediate certificates on a Pulse Connect Secure or Pulse Policy Secure device, please refer to admin guide.
Related Links

 
Attachment 1 
Created ByRaghu Kumar

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255