Troubleshooting MacOS Certificate Errors

If Connection Manager is displaying a MacOS the following "Incomplete certificate revocation check occurred" error, it means that Connection Manager was not able to validate the Secret Server SSL certificate by a certificate authority.

This issue might have multiple root causes. Consider all of the possible causes below and follow the troubleshooting steps in each section.

Disable Certificate Revocation Check

Run the following command in the terminal:

Copy 
defaults write com.Delinea.ConnectionManager Url.CertificateRevocationListCheck false

Since MacOS does not always properly handle certificate revocation checks after OSCP deprecation, disabling CRL checks is the best workaround. Learn more about OSCP deprecation.

Secret Server Certificate Validation Fails When Using OCSP

Only check this if the OCSP Responder URI is present in the certificate.

  1. Open in this Terminal app and cd to folder that contain certificate.pem from previous step.

  2. Assign SSURL variable to Secret Server Host.

  3. Get an Intermediate Certificate. To view the list of intermediate certs, use the following command:

    Copy 
    openssl s_client -showcerts -connect $SSURL:443 < /dev/null 2>&1 |  sed -n '/-----BEGIN/,/-----END/p'

    The very first certificate is the server certificate you saved in previous step. For all the certificates below, they will be copied and saved to a file called chain.pem.

    Example chain.pem file (Can be opened with the Text Edit application):


  4. Get the OCSP Responder URL for the server certificate:

    Copy 
    OCSPURL=$(openssl x509 -noout -ocsp_uri -in certificate.pem)  

    echo $OCSPURL 

    Make sure the SSURL displays the OCSP URL.

  5. Make an OCSP validation request:

    Copy 
    openssl ocsp -issuer chain.pem -cert certificate.pem -text -url $OCSPURL 

    Example output:

    Make sure that Cert Status: good is displayed.

  6. Save and provide output of previous command to DelineaSupport.

Incorrect Trust Policy in Root Certificate Authority

  1. Open Keychain Access -> Certificate.

  2. Find company Root Certificate issued by Markants. It will be either in Login or System Keychain.

  3. If there is one, do a Cmd+click and go to Get Info >Trust.