Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Junos Pulse gives security warning for RapidSSL certificate

SOLVED
Go to solution
adaviel_
Occasional Contributor
‎05-10-2012 06:17:PM
‎05-10-2012 06:17:PM

Junos Pulse gives security warning for RapidSSL certificate

We have a MAG-SM160 version 7.1R1

I installed a commercial certificate from RapidSSL and associated it with the external cluster address. Firefox is happy. But when I connect with Junos Pulse, it gives a security alert saying that the site is untrusted.

I can make the warning go away by installing the RapidSSL certificate in the Java keystore on the client, in addition to the preinstalled Global Trust CA parent certificate.

This isn't a good solution forexternal users. Is this a known problem with Oracle Java, that I need to get a non-chained certificate instead ?

http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
adaviel_
Occasional Contributor
‎05-11-2012 05:01:PM
‎05-11-2012 05:01:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

I think that's nailed it, thanks. Hard to tell as I need to manually remove the RapidSSL cert from the Java keystore

and then reconnect, which is like proving a negative. I should try from a different fresh client.

I will mark this as resolved, in any case.

For the benefit of anyone else reading this thread, the solution seems to be to download the RapidSSL certificate bundle from https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle... and install it as an custom intermediate CA on the MAG certificates configuration page.

View solution in original post

0 Kudos
7 REPLIES 7
AJA_
Frequent Contributor
‎05-10-2012 07:50:PM
‎05-10-2012 07:50:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

I think - KB22625 should help you on this as I believe you must be seeing the same problem.

 

 

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

 

 

0 Kudos
adaviel_
Occasional Contributor
‎05-11-2012 10:40:AM
‎05-11-2012 10:40:AM

Re: Junos Pulse gives security warning for RapidSSL certificate

No, that is a different issue, where the client is using a certificate for authentication.

The issue I have is "cosmetic" only - the user can click "always trust this certificate". As a security officer I deprecate that, and besides, it's annoying to have paid for a commercial certificate that offers no advanatage over a free one from our own CA.

0 Kudos
Kita_
Valued Contributor
‎05-11-2012 12:41:PM
‎05-11-2012 12:41:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

Hello adaviel,

It sounds like the intermediate files were not installed correctly on the web server. Since Firefox has a separate certificate store, it may be possible the intermediate already exist or could be validating a different chain which is missing from the Windows certificate store.

Could you provide the url where the ssl certificate is installed? I can run a few tests.

Kris

0 Kudos
adaviel_
Occasional Contributor
‎05-11-2012 01:25:PM
‎05-11-2012 01:25:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

I don't quite follow you.

I generated a CSR on the MAG, then sent that to RapidSSL. They provided a certificate, which I imported into the MAG (which is a webserver now with a key and a certificate).

In both Firefox and Java on the client computer, the Global Trust CA root certificate is installed by default as a trusted authority. In Firefox, that is sufficient to validate the MAG webserver. In Junos Pulse, using the Java SSL library, it is not. I have to manually install, on each client system, the intermediate RapidSSL certificate into the Java keystore.

If you mean can I give you the URL to our MAG appliance, yes, but I would rather not do so on a public forum.

Is there a private message ability in these forums ? Else I'll just give my email.

0 Kudos
Kita_
Valued Contributor
‎05-11-2012 02:15:PM
‎05-11-2012 02:15:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

I believe that is the step you are missing then. You need to install the intermediate ca to the SA or MAG after installing the ssl certificate you received from RapidSSL. If they are missing from the SA, it will assume the browser has all of the certificate needed to validate the certificate chain.

If you click on the mail icon at the top, you can compose an email to me or you can send it directly to [email protected]

0 Kudos
adaviel_
Occasional Contributor
‎05-11-2012 05:01:PM
‎05-11-2012 05:01:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

I think that's nailed it, thanks. Hard to tell as I need to manually remove the RapidSSL cert from the Java keystore

and then reconnect, which is like proving a negative. I should try from a different fresh client.

I will mark this as resolved, in any case.

For the benefit of anyone else reading this thread, the solution seems to be to download the RapidSSL certificate bundle from https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle... and install it as an custom intermediate CA on the MAG certificates configuration page.

0 Kudos
zanyterp_
Respected Contributor
‎05-21-2012 08:23:PM
‎05-21-2012 08:23:PM

Re: Junos Pulse gives security warning for RapidSSL certificate

thank you for the information on another SSL certifucate vendor that requires custom intermediary upload (VeriSign has been known as tiered environment for some time; i think thawte as well)

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.