KB40606 - Private or local CA already installed and receiving untrusted certificate warning when connecting to Pulse Connect Secure (PCS) device with iOS 10.3.1 and above

This article provides information how to trust a root certificate for a VPN connection in iOS 10.3.1 and above when local or private certificate authority (CA) was installed manually.

When end user tries to connect to a Pulse Connect Secure device with iOS 10.3.1, the user gets a certificate untrusted warning.

The certificate for this server is invalid. 
Tap Accept to connect to this server anyway.

This issue occurs due to a new security changes in iOS 10.3.1. In 10.3 and above, any profile manually installed with a certificate payload isn't automatically trusted for SSL connections. For more information, refer to the following Apple document.

This issue is applicable to customers who utilize a private certificate authority (CA) or local CA and have manually installed the CA.

To resolve this issue, perform the following steps:

1. Navigate to General > About > Certificate Trust Settings
2. Under Enable full trust for root certificates, turn on the slider for the applicable root certificate.

Alternatively, using Pulse WorkSpace or other MDM solutions will avoid this issue.  When a root certificate is pushed along with a VPN profile, full trust to the root certificate is provided by default.