Mobile VPN with SSL Client Certificate Not Trusted (macOS)

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

On macOS, the Mobile VPN with SSL client installer might not correctly set the VPN client certificate to Always Trust, or the macOS certificate‑trust workflow might fail on installation. When you do not correctly configure certificate trust, macOS cannot validate the client certificate, which prevents the Mobile VPN with SSL client from establishing a secure SSL/TLS connection. In some cases, you can use an OpenVPN client to work around this issue.

Symptoms

When the certificate trust process fails on macOS, you might experience these symptoms:

• When you try to connect with the Mobile VPN with SSL client, macOS repeatedly displays certificate trust prompts or cannot complete the connection because it cannot validate the VPN client certificate.
• The VPN connection succeeds only after you manually set the certificate to Always Trust, or when you connect with an OpenVPN client instead of the Mobile VPN with SSL client.

Diagnostic Steps

On the affected macOS device:

1. Confirm the macOS version. For more information, go to macOS version (external link).
2. Verify whether the installer set the certificate trust setting to Always Trust in Keychain Access.
3. If the issue continues, test the connection with an OpenVPN client to determine whether certificate trust or the WatchGuard Mobile VPN with SSL client is the source of the issue.
4. Review macOS system logs for messages that relate to openvpn, trust evaluation, or ssl.

Possible Causes and Solutions

Possible Cause	Solution
The Mobile VPN with SSL installer did not correctly set the client certificate to Always Trust.	Manually set the certificate to Always Trust in Keychain Access. For more information, go to Keychain Access User Guide (external link).
macOS trust store configuration or local security policies interfere with certificate validation.	Use an OpenVPN client as an alternative connection method. For more information, go to OpenVPN Connect for macOS (external link).

Related Log Messages

When macOS cannot validate a VPN client certificate or experiences SSL/TLS trust issues, macOS system logs might include messages such as:

• “TLS error: cannot locate certificate.”
• “Trust evaluation failed.”
• “SSL routines: certificate verify failed.”

For more information, go to Console User Guide (external link).

Related Topics

About Mobile VPN with SSL

Troubleshoot Mobile VPN with SSL