Troubleshooting MacOS Certificate Errors

If Connection Manager is displaying a MacOS the following "Incomplete certificate revocation check occurred" error, it means that Connection Manager was not able to validate the Secret Server SSL certificate by a certificate authority.

This issue might have multiple root causes. Consider all of the possible causes below and follow the troubleshooting steps in each section.

Missing OCSP Responder URI in Certificate

  1. Open the Secret Server URL in Chrome.

  2. Open Certificate Viewer.

  3. In the Details tab, go to Certificate Fields >Authority Information Access

  4. Check Field Value, it should contain OCSP Responder URI.

  5. Save and provide screenshot of the previous command to Delinea Support.

  6. Try open this URI in browser, let us know what you see (make screenshot if possible).

  7. Export certificate using the button below and save it as certificate.pem (this will be needed for troubleshooting steps).

Secret Server Certificate Validation Fails When Using OCSP

Only check this if the OCSP Responder URI is present in the certificate.

  1. Open in this Terminal app and cd to folder that contain certificate.pem from previous step.

  2. Assign SSURL variable to Secret Server Host.

  3. Get an Intermediate Certificate. To view the list of intermediate certs, use the following command:

    Copy 
    openssl s_client -showcerts -connect $SSURL:443 < /dev/null 2>&1 |  sed -n '/-----BEGIN/,/-----END/p'

    The very first certificate is the server certificate you saved in previous step. For all the certificates below, they will be copied and saved to a file called chain.pem.

    Example chain.pem file (Can be opened with the Text Edit application):


  4. Get the OCSP Responder URL for the server certificate:

    Copy 
    OCSPURL=$(openssl x509 -noout -ocsp_uri -in certificate.pem)  

    echo $OCSPURL 

    Make sure the SSURL displays the OCSP URL.

  5. Make an OCSP validation request:

    Copy 
    openssl ocsp -issuer chain.pem -cert certificate.pem -text -url $OCSPURL 

    Example output:

    Make sure that Cert Status: good is displayed.

  6. Save and provide output of previous command to DelineaSupport.

Incorrect Trust Policy in Root Certificate Authority

  1. Open Keychain Access -> Certificate.

  2. Find company Root Certificate issued by Markants. It will be either in Login or System Keychain.

  3. If there is one, do a Cmd+click and go to Get Info >Trust.