KB45524 - How to check the valid and invalid Client Certificate logs when Authentication is configured as Certificate Server [Pulse/Ivanti Desktop Client for Windows]

This article discusses how to check the valid and invalid Client Certificate logs when Authentication is configured as Certificate Server specific to Windows machines.
 

When connecting to VPN via Ivanti Secure Access Client, users receive the error code : 1332.



When connecting to VPN via browser, users receive the following warning.


 

Below, as an example, is the log extract from an invalid certificate *.xyz.net.
 
Invalid Certificate :
 

00260,09 2022/10/15 15:33:00.694 3 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jamCert.cpp:826 - 'JamCertLib' 35) Processing Certificate (Subject: *.xyz.net, Issuer: DO_NOT_TRUST_FiddlerRoot, Thumbprint: 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E) ...
00339,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:510 - 'JamCertLib' Calculating rank for certificate [Certificate (Subject: *.xyz.net, Issuer: DO_NOT_TRUST_FiddlerRoot, Thumbprint: 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E)] (thumbprint 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E):
00196,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E is time-valid, rank=0x20000000
00206,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E has KU:DigitalSignature, rank=0x20200000
00201,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E has EKU:ClientAuth, rank=0x20210000
00305,09 2022/10/15 15:33:00.694 3 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 msCert.cpp:1607 - 'JamCertLib' Cert-Chain built for Certificate (Subject: *.xyz.net, Issuer: DO_NOT_TRUST_FiddlerRoot, Thumbprint: 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E), error-status (0x00000010), cert-count (2)
00200,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E has trusted chain, rank=0x20A10000
00247,09 2022/10/15 15:33:00.694 1 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:415 - 'JamCertLib' Certificate 9CB3FE348412EB8EA793316E14DDDEC6CA2DBE7E does not meet the required 'is trusted by the server' condition, skipping it (rank 0)

After validating all the certificates in certificate store of user machine [Certificates - Current User > Personal > Certificates], the log appears "No valid client certificate found".
 

For a certificate to be a valid client certificate, below are the minimal requirements :
 
> It should be time-valid, validity should be time-synced with the user machine and the PCS/ICS.
> It should have a field "Key Usage" with a value "Digital Signature".
> It should have a field "Extended Key Usage" with a value "ClientAuth".
> It should have a trusted certificate chain.
> It should be trusted by the Client CA certificate present in PCS/ICS [Configuration > Certificates > Trusted Client CAs].
> It should have a private key.
 
Below, as an example, is the log extract from an valid client certificate *.abc.net.

Valid Certificate :
 

00230,09 2022/10/15 15:33:00.694 3 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jamCert.cpp:826 - 'JamCertLib' 37) Processing Certificate (Subject: *.abc.net, Issuer: alam.net, Thumbprint: 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116) ...
00309,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:510 - 'JamCertLib' Calculating rank for certificate [Certificate (Subject: *.abc.net, Issuer: alam.net, Thumbprint: 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116)] (thumbprint 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116):
00196,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 is time-valid, rank=0x20000000
00206,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 has KU:DigitalSignature, rank=0x20200000
00201,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 has EKU:ClientAuth, rank=0x20210000
00275,09 2022/10/15 15:33:00.694 3 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 msCert.cpp:1607 - 'JamCertLib' Cert-Chain built for Certificate (Subject: *.abc.net, Issuer: abc.net, Thumbprint: 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116), error-status (0x00000000), cert-count (2)
00200,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 has trusted chain, rank=0x20A10000
00207,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 is trusted by the server, rank=0x30A10000
00272,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 msCert.cpp:1940 - 'JamCertLib' Checking silently if certificate Certificate (Subject: *.abc.net, Issuer: abc.net, Thumbprint: 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116) has private key provider...
00327,09 2022/10/15 15:33:00.694 3 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 msCert.cpp:1928 - 'JamCertLib' Certificate (Subject: client.alam.net, Issuer: alam.net, Thumbprint: 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116) has Provider: Microsoft Enhanced Cryptographic Provider v1.0, Key-Container: {E0B8732E-9CE5-4DE4-932A-8E61AEC80ECF}
00198,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:406 - 'JamCertLib' >   certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 has private key, rank=0x70A10000
00188,09 2022/10/15 15:33:00.694 4 Shaukat.Alam Pulse.exe Pulse p19880 t2F08 jcSelectionRule.cpp:714 - 'JamCertLib' Certificate 95CFE6EE35BCF7F97AF63B9D784947A58F0B3116 has higher rank 0x70A10000

 

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40524/?kA1f1000000WzYJ
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44421/?kA13Z000000L3FE