When connecting to a new server, KeePass will prompt to confirm Trust in this new server. Once a secure connection has been properly established this message should not display again, except in the case of configuration changes.

Trust-Warning-Error.png

Repeated Warnings

If you keep seeing repeated Trust Warnings each time you open KeePass, but not with the web client, you may have a problem with the certificate on your workstation. Here are the most common reasons:

  • Certificate problem (most likely)
  • Server has been migrated recently
  • Network Connections have changed
  • Security Policy problem

Follow these steps:

  • Check if there are Certificate problems
  • Server Migrations: if you have recently changed your networking or migrated a server, the URL(s) listed in the Certificate may be pointing to a location that no longer exists: check that the Certificates CRL Distribution Point information is still valid.
  • Check that Pleasant Server has not been interrupted: Restart the Service
  • If you continue to have problems, please let us know: your steps and your results and send your Detailed Log files (Server, Web & KeePass) to Support.
  • We will take a look and diagnose the problem and can schedule a screen-share to resolve if necessary.

Certificate Location

If your Certificate is properly installed on the workstation, the system should trust the stored Certificate.

KeePass for Pleasant client saves this in:

  • Trusted People

On the Password Server machine, this certificate is placed in the certificate store at:

  • Computer\Personal\Certificates

Viewing Certificate Details

To view the details of your certificates and check them for errors, it's possible to check them from your browser or through Manage Certificates (MMC).

In Chrome:

  • Type F12 on a browser page -> Click Security tab -> Click View Certificate -> Click Details tab

In Firefox:

  • Click lock beside the URL -> Click ">" to view connection details -> Click More information -> Click Certificate(s) to expand a list (if there are more than one) -> Click Security tab -> Click View certificate -> Click Details tab

Standard Certificate Checks

  1. First test if there is a Certificate problem by:
    • Connecting to our private free-to-use Demo Server, OR,
    • Connecting using a mobile device with a which has the same certificate, and which has connection access to the Password server to see if the mobile app / browser can connect successfully
  2. Check that the Certificates are stored in the Certificate Store in the proper locations
  3. Check that the Certificates have not expired
  4. Check that the Certificate "Issued To" exactly matches the server location address
  5. Check that the Certificate "Issuer" information is correct
  6. Check the CRL Distribution Point information is still valid
  7. Check that the Certificate is not using an old SHA1 signature hash, and is properly switched to SHA256 / SHA512

If there a Certificate problem remains, continue on to the more advanced checks below.

Revocation Status Checks

Beginning with the Root Certificate, the Certificate chain is validated, looking for any revocation statuses on the certificates. In the future, Password Server will provide the these specific error statuses.

Here is a full list of validation items for revocation statuses:

  1. Chained certificates may have expired or are not yet in effect
  2. The Certificate may not have been issued for current use
  3. Invalid name, constraints, or policy
  4. The Certificate Authority (CA) may no longer be trusted
  5. Root Revocation may be unknown when determining certificate verification
  6. The Certificate Authority Revocation may not be specified
  7. The End Certificate (i.e. the user certificate) revocation is unknown
  8. The Certificate Trust List (CTL) signer revocation may not be unknown
  9. The Certificate Trust List (CTL) may not be valid or is expired
  10. Together the CA (Certificate Authority) certificate and the issued certificate must have nested validity periods
Tag page
You must login to post a comment.