Reset Search



KB40704 - Pulse Secure Desktop client states "The certificate or certificate chain is based on an untrusted root"

« Go Back


Last Modified Date6/20/2017 2:02 AM
This article describes an issue where Pulse Secure Desktop client is unable to trust the device certificate when making a connection to a Pulse Connect Secure (PCS) or Pulse Policy Secure (PPS) device.
Problem or Goal
When making a connection to a PCS / PPS device, the following error message will appear:
The certificate or certificate chain is based on an untrusted root.
This message serves as a warning to end users as the secure connection made may be to an unknown source. Pulse Secure strongly recommends to view and evaluate the device certificate before accepting any secure connection by clicking the View button.

User-added image

This will display the device certificate details and the end user should validate the following details:
  • Issued to field should be a known URL used by the PCS or PPS device
  • Issued by field should be from a known public certificate authority (VerSign/Symantec, etc) or issued by your company (if a private certificate authority is used)
  • If the Issued to and Issued by fields are identical, this is considered a self-signed certificate.  Pulse Secure does not recommended to continue without further validation from the PCS/PPS administrator.
End users will be able to continue connecting by clicking on the Connect button or clicking on the Cancel button to disconnect.
This issue can occur when one of the following conditions are met:
  • Intermediate certificate are not properly installed on the PCS/PPS device
  • Self-signed certificate is installed on the PCS/PPS device
  • Installed device certificate is issued from a private CA
To validate if the certificate chain is installed properly on the PCS/PPS, navigate to the following website and enter the PCS/PPS URL.  

If there are any errors, please perform one of the following steps:
  • For end users, please contact your help desk or PCS/PPS administrator to notify the intermediate certificates are not properly installed on the device.
  • For PCS/PPS administrators, please contact the public certificate authority to determine the missing intermediate certificates.  Once obtained, please refer to the admin guide for intermediate certificate installation instructions.
Pulse Secure strongly recommends to use device certificates issued from a public certificate authority for all devices.  If a self-signed certificate will be used with the PCS/PPS device, it is important to notify end user how to properly validate the certificate or manually installed the certificate to avoid warning prompt.
Related Links
Attachment 1 
Created ByK. Kitajima



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255