Reset Search



KB19692 - Pulse Secure Mobile client for Android cannot pass the "Failed to connect to server! Check your Certificate" error message when "Uses Certificate" is selected on Android devices.

« Go Back


Last Modified Date12/14/2015 5:10 AM
This article provides information about certificate authentication and how to separate the certificate and personal key files when the Pulse Secure Mobile client platform attempts to create a new connection on a Google Android device.
Problem or Goal
If Pulse Secure Mobile Client on Google Android requires certificate authentication when attempting to create a new connection, the Failed to connect to server! Check your Certificate error message is generated.

When Uses Certificate is selected in Pulse Secure client on Google Android, Pulse Secure client asks for the path to the Certificate and Certificate Key file.

Certificate authentication can be performed only if the user certificate and the private key are separated before completing the new connection.

To separate the private key from the certificate, use these OpenSSL commands:
  1. Convert the certificate and key from the PFX file or the P12 file to the PEM format:

    PFX file

    openssl pkcs12 -in <filename>.pfx -out certificate.pem -nokeys
    openssl pkcs12 -in <filename>.pfx -out privatekey.pem -nodes

    P12 file

    openssl pkcs12 -in <filename>.p12 -out certificate.pem -nokeys
    openssl pkcs12 -in <filename>.p12 -out privatekey.pem -nodes

    If the Certificate is PEM, it must not contain the following:

    Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
    friendlyName: 87645bd033c487cad2835567b626d1b8_bbdf7030-21b0-488c-9f9b-22048b9e80f9
    Key Attributes
    X509v3 Key Usage: 10

    If it does contain the contents listed above, delete them so that the file starts and ends with the following:

    -----END CERTIFICATE-----

    Important: Any additional information below 'END CERTIFICATE' (in certificate.pem) and 'END RSA PRIVATE KEY' (in privatekey.pem) should be deleted. PEM files should contain only one certificate entry. In addition to removing the Bag Attributes from the Certificate, you must remove the Bag Attributes from the private key as well.

  2. Convert the certificate and key from PEM to the DER format:
    openssl x509 -in certificate.pem -inform PEM -out certificate.der -outform DER
    openssl rsa -in privatekey.pem -inform PEM -out privatekey.der -outform DER
  3. Place a copy of each of the certificate.der and privatekey.der files on the SD card of the Android device.

  4. In the New Connection window on the Android device, browse to the certificate.der file for the Certificate Path field and then browse to the privatekey.der file for the Key Path.
  • When performing the certificate authentication, the PCS's certificate must be valid. Otherwise, you will not be able to connect. Valid means that the device certificate is not expired, the Issuer Name or Subject Alternative Names must match the name of the PCS hostname being accessed, and the Cert Authorities(s) must be trusted by the client; in this case your Android phone.
  • Supported file extensions:
    • Certificate Authority: Supports only the PKCS #12 format with .p12 extension. If you are installing the cert from your Android phone, go to Settings > Location & Security > Install from SD Card.
    • Certificate: Only X 509.DER extensions are supported.
  • Certificate Key: Only X509.DER extensions are supported.
Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255