Host checker can check for machine certs only which is issued by a CA. It cannot check for a root CA where the issued to and issued by fields are same.
While this still seems to be the case in 2013, there may be something similar you can do.
You can set up a preconfigured Junos Pulse file from the settings in the connection on the gateway. If you set the Dynamic trust check box, in the Junos Pulse connections page in the gateway, you allow the user to accept certificate errors when connecting to the gateway. This is the default.
In our case, users with company laptops have a root CA that was the CA to certify the outside address of the Mag gateways (via a load balancer). This certificate will be "invalid" to everyone except someone with the root CA installed.
So, you can clear (remove) the check box for "Dynamic connections" in the GUI and export the preconfig file, or change the
line to be
What this will do, when a user connects to a gateway certified by the CA and they have the root CA is it will allow them to logon. When the user connects but there is no root CA certifying the chain of the CA to the machine's cert, the connection will fail, as the user will not have the opportunity to accept the connection.
Will this work for you?