KB40704 - Pulse Secure Desktop client states "The certificate or certificate chain is based on an untrusted root"

This article describes an issue where Pulse Secure Desktop client is unable to trust the device certificate when making a connection to a Pulse Connect Secure (PCS) or Pulse Policy Secure (PPS) device.

When making a connection to a PCS / PPS device, the following error message will appear:

The certificate or certificate chain is based on an untrusted root.

This message serves as a warning to end users as the secure connection made may be to an unknown source. Pulse Secure strongly recommends to view and evaluate the device certificate before accepting any secure connection by clicking the View button.



This will display the device certificate details and the end user should validate the following details:

• Issued to field should be a known URL used by the PCS or PPS device
• Issued by field should be from a known public certificate authority (VerSign/Symantec, etc) or issued by your company (if a private certificate authority is used)
• If the Issued to and Issued by fields are identical, this is considered a self-signed certificate.  Pulse Secure does not recommended to continue without further validation from the PCS/PPS administrator.

End users will be able to continue connecting by clicking on the Connect button or clicking on the Cancel button to disconnect.

This issue can occur when one of the following conditions are met:

• Intermediate certificate are not properly installed on the PCS/PPS device
• Self-signed certificate is installed on the PCS/PPS device
• Installed device certificate is issued from a private CA

To validate if the certificate chain is installed properly on the PCS/PPS, navigate to the following website and enter the PCS/PPS URL.  

If there are any errors, please perform one of the following steps:

• For end users, please contact your help desk or PCS/PPS administrator to notify the intermediate certificates are not properly installed on the device.
• For PCS/PPS administrators, please contact the public certificate authority to determine the missing intermediate certificates.  Once obtained, please refer to the admin guide for intermediate certificate installation instructions.

Pulse Secure strongly recommends to use device certificates issued from a public certificate authority for all devices.  If a self-signed certificate will be used with the PCS/PPS device, it is important to notify end user how to properly validate the certificate or manually installed the certificate to avoid warning prompt.