If you see this message, it could be a problem with your certificate(s) or security policies.

Trust-Warning-Error.png

If you always get a trust warning when opening KeePass and when retrieving password from KeePass, but not when using the web client, you may have a problem with the certificate on your workstation.

Password Server saves the certificate in the certificate store at:

  • Computer\Personal\Certificates

while the KeePass for Pleasant client saves it in:

  • Trusted People

If your CA certificate is properly installed on the workstation, you should not see this message because the system should trust the certificate after it is in the store.

However, if you still see this Trust Warning message, it is because there is problem with your certificate(s) or security policies.

For example:

  • If you have recently changed your networking or migrated a server, the URL(s) listed in the certificate may be pointing to a location that no longer exists: check that the CRL Distribution Point information is still valid.

You can use the sections following to view the details of your certificates, and to check them for errors...

Viewing Certificate Details

In Chrome:

  • Type F12 on a browser page -> Click Security tab -> Click View Certificate -> Click Details tab

In Firefox:

  • Click lock beside the URL -> Click ">" to view connection details -> Click More information -> Click Certificate(s) to expand a list (if there are more than one) -> Click Security tab -> Click View certificate -> Click Details tab

Standard Checks

  1. Check that the certificate has not expired
  2. Check that the certificates are saved in the certificate store in the proper locations
  3. To test if there is a certificate problem, try to either:
    • connect to our private free-to-use Demo Server
    • connect using a mobile device with that certificate to see if the mobile app / browser can connect successfully
  4. Check the CRL Distribution Point information is still valid
  5. Check that the Issuer information is correct
  6. Check that the certificate is not using an old SHA1 signature hash, but is properly switched to SHA256 / SHA512
  7. Check that Pleasant server has not been unduly interrupted -- stop & restart the service
  8. Check if this is still a problem, please forward your web & server logs for us to review

Revocation Status Checks

Beginning with the Root Certificate, the Certificate chain is validated, looking for any revocation statuses on the certificates. In the future, Password Server will provide the these specific error statuses.

Here is a full list of validation items for revocation statuses:

  1. Chained certificates may have expired or are not yet in effect
  2. The Certificate may not have been issued for current use
  3. Invalid name, constraints, or policy
  4. The Certificate Authority (CA) may no longer be trusted
  5. Root Revocation may be unknown when determining certificate verification
  6. The Certificate Authority Revocation may not be specified
  7. The End Certificate (i.e. the user certificate) revocation is unknown
  8. The Certificate Trust List (CTL) signer revocation may not be unknown
  9. The Certificate Trust List (CTL) may not be valid or is expired
  10. Together the CA (Certificate Authority) certificate and the issued certificate must have nested validity periods
Tag page
You must login to post a comment.