To resolve this issue, ensure to install the root certificate (via keychain access) that signs the device certificate. If the device certificate is a self-signed certificate, perform the following steps to trust the self signed certificate on MacOS.Note: The following steps do not apply to iOS devices.
To resolve this issue for iOS devices, please refer to the iOS device section
- Connect to the PCS device via Safari
- During the initial connection, Safari will prompt the message "Safari can't verify the identify of the website "<website_address>"
- Click Show Certificates
- Select the checkbox Always trust "<website_address>" when connecting to "<website_address>"
- Click Continue
- A prompt for admin credentials will appear. Enter the proper credentials and click Update Settings.
Once this is complete, retry the connection again.
For iOS, all HTML5 web socket connections must by from trusted certificate. Since the device is making a secure connection to the Pulse Connect Secure device, the device certificate must be signed from a trusted certificate authority (public or private ca). If iOS consider the certificate as trusted, the following error message will appear in the device console logs:
Feb 11 12:02:06 securityd <Error>: secTaskDiagnoseEntitlements
MISSING keychain entitlements: no stored taskRef found
Feb 11 12:02:06 com.apple.WebKit.WebContent <Error>: SecTrustEvaluate
To confirm this issue, perform the following steps:
- Download and open Xcode on Mac OS X
- Using a lighting cable, connect an iOS device to the Mac OS X.
- From the menu bar, click Window > Devices.
- From the left pane, under Devices, click on the iOS device.
- From the bottom pane, replicate the issue and confirm the log message above.
To resolve this issue, please install a device certificate signed by a public CA (certificate authority) with all intermediate certificates on the PCS device. For installation instructions, please refer to KB22288 - [PCS] How to install a certificate on a Pulse Connect Secure Access gateway
It is possible to use a private CA or self-signed certificate to resolve this issue, but the private CA or self-signed certificate would need to be manually installed on every iOS device. Additionally, end users will need to manually trust the root certificate for iOS device running 10.3.1 and above. For further instructions, refer to KB40606 - Private or local CA already installed and receiving untrusted certificate warning when connecting to Pulse Connect Secure (PCS) device with iOS 10.3.1 and above
This is not recommended for production devices as this solution is not scalable.