Yesterday a new problem arrived. This time was a certificate problem brought by our VPN web page and the Pulse Secure client. Instead of connecting to the VPN through Firefox I wanted to do it by using Pulse Secure. My original post is in the Pulse Secure community.

The logs of Pulse Secure showed this error:

Clearly the application is unable to validate the certificate.

We can use openssl to replicate the problem:

This tell us that Pulse Secure and openssl aren’t able to find the issuer certificate. Our issuer is DigiCert GLobal CA G2 as showed in the openssl output above.

After copying the text certificate from TBS-Certificates I created a new file (DigiCertCAG2.crt and pasted the content in it).

Then I used openssl to pass the lacking certificate as a parameter and it worked:

Fixing the missing certificate for OpenSSL and PulseSecure

The certificate stores are located in:
  • RHEL/CentOS/Fedora /etc/pki/tls/certs/ca-bundle.crt
  • Ubuntu/Debian /etc/ssl/certs/ca-certificates.crt
Openssl will look up for the certificate in /etc/ssl/certs/. Installing certificates there is quite easy, I’ve found this blog in Chinese explaining the procedure, but remember, certificates must end with .crt extension

This just takes the content of our certificate (DigiCertCAG2.crt) and appends it to /etc/ssl/certs/ca-certificates.crt

When using Openssl or Pulse Secure the problem won’t appear anymore.