"No valid certificate with acceptable DN found in the Keychain" pop-up in Endpoint Security Client / Endpoint Security VPN on Mac OS X when user clicks on either "Connect", or "Always connect"

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk116865
Technical Level
Product	Endpoint Security VPN, Endpoint Security Client
Version	E80.62 (EOL)
OS	macOS
Platform / Model	All
Date Created	13-Apr-2017
Last Modified	06-Aug-2018

Symptoms

"No valid certificate with acceptable DN found in the Keychain" pop-up in Endpoint Security Client / Endpoint Security VPN on Mac OS X when user right-clicks on the client's icon - clicks on either "Connect", or "Always connect".

If user then clicks on the "Connect" button, the client connects as expected.
Error does not appear when user right-clicks on the client's icon - clicks on "Connect To..." - selects Certificate File - clicks on "Connect".
The certificate is stored in the keychain storage of Mac OS X ("CAPI" certificate authentication).
trac.log file on the Endpoint Security Client / Endpoint Security VPN shows that:

After a successful connection the client stores the certificate's DN only - without SerialNum:

[TR_FLOW_STEP] TR_FLOW_STEP::TrConnEngineConnectStep::CertificateCB: Using capi-certificate scheme. Storing the certificate DN [TR_CONN_MANAGER] TrConnManager::SetCertDN: Storing given dn: Email=<user_name>@<domain>,CN=<customer_name>

The client cannot find the last used certificate in the list of keychain certificates, although it is shown in the list - with DN and SerialNum:
RaisCertManager] CertManager::GetCertByName: __start__ ... [RaisCertManager] RaisCertManager::CertManager::GetCertByName: dn=Email=<user_name>@<domain>,CN=<customer_name>,SerialNum=... [RaisCertManager] CertManager::GetCertByName: __end__ ... Total time - 0 seconds [auth_IS] CertAuth::SaveAuthCredentials: Failed to create cert object [auth_IS] CertAuth::SaveAuthCredentials: Failed to get certificate with name Email=<user_name>@<domain>,CN=<customer_name>,serialNumber=...

Cause

When connecting with right-click - "Connect" (or "Always connect"), the Endpoint Security Client / Endpoint Security VPN looks up the last certificate that was used in a successful connection.
The last certificate path is stored in the value of the parameter "certificate_path" in the trac.config file.
During the getAuthInfoStep stage, the Endpoint Security Client / Endpoint Security VPN gets a list of certificates from the keychain, but it does not find a match to the value it has saved.

Solution

Note: To view this solution you need to Sign In .