We've recently acquired a wildcard certificate from Entrust for our SSL VPN and Sharepoint Passthrough.
I have the wildcard certificate installed as a device cert.
I have the entrust cert added to the intermediate CAs.
I also have the Entrust Root CA and Entrust Secure Server CA in Trusted Server CAs.
When users come through the SSL VPN they are still getting prompted with cert errors.
"The certificate was not issued by a trusted CA"
I did see another posting about the use of a wildcard cert, however the other users solution was to add the high cert in the chain for CA.
Unless there is something higher than the two Entrust certs I've got in Trusted Server CAs I dont think that solution will apply for me.
I have heard of any issues with wildcard certificates. If you are getting an untrusted error, this usually means either the incorrect intermediates were added to the SA or the end user browser is missing the root certificates. Can you give the url where you have the certificate installed? I can run a few test to confirm the issue.
Externally from the login url the cert if fine, however you would have to login to the site to see the error.
The error only pops up after user authentication is complete, and the users are hitting our sharepoint landing page that is passthrough proxied.
After continuing anyways through the Juniper, the sharepoint cert is fine from a client perspective as well.
Easy way to track this is access the sharepoint landing page directly (not after loging via SA) and see if you see the same cert error.
If yes, then the cause should be the same.
If no then check the CA,intermediate certs that are installed on the browser and see if the same is available on the SA under trusted server CA.
If the error is happening after authentication to the SharePoint site behind the SA device, then my assumption is there is no issue with the wildcard certificate installed on the SA device.
What is the CA that signs the certificate installed on the SharePoint site?
Is it signed by a public or private CA?
If it's a private CA, you'll want to ensure you've installed this CA on the SA under Trusted Server CAs or you can disable the option for "Warn users about the certificate problems" under Users Roles > Web > Options > Advanced Options > Allow browsing untrusted SSL websites.
Please be sure that the root and both/all intermediates are uploaded to the trusted server store (as mentioned by Kita and rakeshb).
In addition, if you look at a TCP dump of the traffic, you can check the SSL handshake to verify that the server is sending the chain back correctly. When you are viewing the trace, the server will send a "server hello" and a "certificate" packet (sometimes at the same time, other times singly). In the certificate packet, you can see the certificate information that is being sent. If that is accurate and the trust is complete on the SA, then you need to work with JTAC for further assistance; otherwise, you will need to work with your web server team to make sure the certificate chain is being sent correctly. I have seen where the server is sending the certificate incorrectly and the SA would pick up on it but desktop browsers do not.