Why does my PCoIP Zero Client indicate that it is unable to verify the View Connection Server's identity after the CA's root certificate has been uploaded via AWI and/or the PCoIP Management Console?

Rate this Article
Average: 1 (1 vote)

August 3, 2018

Last modified: 09/03/2023, 6:12 pm

Knowledge Base Article Troubleshooting Security Third Party Enhancements Zero Clients

Problem

The PCoIP Zero Client is presenting a certificate error when the server's corresponding Root CA or Intermediate Certificate has been loaded into the PCoIP Zero Client certificate store. The PCoIP Zero Client has a certificate check mode configured as "Warn before connecting to untrusted servers" or "Never connect to untrusted serves"

 

Cause

The customer's VMware View Connection Server (VCS) or network load balancer may be publishing its server certificate only, when it should be also publishing the intermediate and root certificates.

 

How to identify

See the PCoIP Zero Client log below showing the connection to view.exampledomain.com, as an example.  Notice that the intermediate and root certificates are named:

0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Trusted setting: Untrusted certificates are never allowed
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Trusted result: PASSED
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Server certificate is trusted
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Server certificate issued to: view.exampledomain.com
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Server certificate issued by: DigiCert High Assurance CA-3
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Intermediate certificate issued to: DigiCert High Assurance CA-3
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Intermediate certificate issued by: DigiCert High Assurance EV Root CA
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Root certificate issued to: DigiCert High Assurance EV Root CA
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Root certificate issued by: DigiCert High Assurance EV Root CA
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :Trusted root and intermediate certificates:
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :DigiCert High Assurance EV Root CA
0d,00:00:46> LVL:2 RC:   0     MGMT_VDMCSI :

By contrast, the log for the scenario described does not contain this information:

1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :Trusted setting: Untrusted certificates are never allowed
1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :Trusted result: FAILED
1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :Server certificate is NOT trusted
1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :Server certificate issued to: view.exampledomain.com
1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :Server certificate issued by: DigiCert High Assurance CA-3
1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :
1d,00:54:42> LVL:2 RC: 0 MGMT_VDMCSI :Trusted root and intermediate certificates:

 

Workaround

The only way for the trust check to pass is to install the DigiCert intermediate certificate, not the AddTrust root certificate.  

The View Connection Server or load balancer should be updated with the full certificate chain.

 

See also

How do I upload certificates to PCoIP zero clients and PCoIP host cards?