Why am I getting a "Certificate Not Trusted" error when adding a PFA SSL Certificate in Configuration Manager?

Question

Why am I getting a "Certificate Not Trusted" error when adding a PFA SSL Certificate in Configuration Manager?

Answer

This error occurs because the SSL certificate you are trying to add is not recognized as trusted by the Configuration Manager (CM). Certificates are typically issued and signed by trusted Certificate Authorities (CAs), which browsers and software use to verify the authenticity and security of the certificate.

If you are using a self-signed certificate or a certificate generated by an entity that is not a recognized CA, CM will flag it as “not trusted.” This is expected behavior since self-signed certificates do not provide the same level of trust and authentication as CA-issued certificates.

Important points to consider:

• Determining if a certificate is “good” or “trusted” is generally outside the scope of Central Technical Support. This is a matter typically handled by network or security engineers who manage your organization’s certificates.

  • If you want to avoid the "certificate not trusted" notification in Configuration Manager, you can adjust the certificate requirements level in the settings. Set it to “None” if you wish to bypass this warning.

  • See the relevant settings screenshot:

• Consult your onsite network or security engineer to confirm whether the certificate was applied correctly and whether your certificate server is configured properly.

• Check also this certificate generation and update KB article

Note:

Self-Signed vs Trusted Certificates:

• Trusted certificates are issued by Certificate Authorities and are validated by browsers and other software. They confirm the authenticity of your device and prevent man-in-the-middle attacks.

• Self-signed certificates are created without CA validation. They provide encryption but do not offer verified trust, resulting in browser warnings and software alerts like the one you see in CM. These are usually suitable for testing but not recommended for production environments.
  A self-signed certificate cannot be considered “trusted” by Configuration Manager or other systems expecting CA validation. For production environments requiring security and trust, use certificates issued by recognized Certificate Authorities. If you need help with this, please contact your network or security team for further assistance.