KB43689 - Unable to register appliances to Pulse One On-Prem configured with a self-signed certificate

This article describes an issue where Pulse Connect Secure / Pulse Policy Secure fails to register with Pulse One (On-Premise) version 2.0.1743 and above when a self-signed certificate is installed on the Pulse One device.

After the initial configuration with Pulse One (On-Premise) version 2.0.1743 and above with a self-signed certificate, the Pulse Connect Secure / Pulse Policy Secure may fail to register with the following error message (in the event log):

System()[] - Failed to execute 'Registration Request'. Details 'Transfer returned result code 60 
(Peer certificate cannot be authenticated with known CA certificates). Error Message: SSL certificate 
problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed., REST call failed for resource https://MyOnPrem.test.com/api/v1/sa/register'

Connection error with Pulse One: SSL certificate problem, verify that the CA cert is OK. 
Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed; 
Host: mypulseonedomain.com

This issue occurs due to the fact that Pulse Connect Secure and Pulse Policy Secure must trust the device certificate installed on the Pulse One device to complete a successful SSL handshake. It is important that PPS and PCS contain not only the root certificate the signed the Pulse One certificate but also include any intermediate certificates as well.

To resolve the issue, the recommendation is to obtain a device certificate for Pulse One which is signed by a trusted certificate authority.  If the certificate is signed by a private certificate authority, the root certificate authority (CA) must be installed on each Pulse Connect Secure / Pulse Policy Secure device.

Workaround:

One method to retrieve the self-signed certificate is via your web browser. With the following instructions a user can connect to the Pulse One UI and use browser options to download the self-signed certificate.

For Chrome v64, click the lock icon in the top left side of the browser window in the URL bar, select details and copy to file.


For Internet Explorer 11 you’ll need to first run IE as an administrator. You can close IE, then find iexplorer.exe in Windows, right click it, and select run as administrator. Once you do that connect to Pulse One and right click the web page and select properties. From there select certificate. Once the certificate is opened select details and copy to file.



For Firefox v58, select the lock icon in the URL bar, then click on the arrow to the right to show connection details.