Troubleshoot certificates

Access to applications may be caused by certificate issues.

Some issues caused by certificates are caused by:

  • Browsers. Access to applications may be denied by browser settings.

  • Expiration. Access to applications may be denied by expired certificates. Check the expiration date of an SSL certificate. If you use certificates for applications or identity providers (IdPs), 14 days before they expire the applications change to Deployment Not Ready state. You should renew the certificate before expiry, upload the new certificate, and redeploy the application, even when the application or IdP still work fine during the 14-day expiration period.

Troubleshoot certificate issues with Mozilla Firefox

To troubleshoot browser issues change the Firefox OCSP settings. When you access an application that uses custom domains with the Mozilla Firefox browser, your certificate may appear valid but has actually been revoked by your domain provider. This occurs because Firefox uses Online certificate status protocol (OCSP) by default and renders a set of errors when it tries to access the application.


This issue does not apply when you access an application that uses custom domains with the Google Chrome browser. Chrome does not use the OCSP to check if an intermediate certificate has been revoked.

  1. Open a new Mozilla Firefox browser window.

  2. Navigate to Options > Privacy & Security.

  3. Deselect Query OCSP responder servers to confirm the current validity of certificates.

  4. Close the preferences menu.

  5. Try to access the application again. See Log in and access applications in the Login Portal.

Troubleshoot access to applications secured with EAA through Chrome that are accessed with Safari and Firefox

If you have secured applications that are accessed from Enterprise Application Access (EAA) through Safari and Firefox, but not through Chrome, iFrames may cause an issue. Certain versions of the Chrome browser block content in iFrames that is served with self-signed certificates.

If you currently use a certificate that was generated by the Enterprise Application Access service, or one that you generated internally, this may be why some content that is blocked by Chrome works on Safari and possibly other browsers.

  1. Import valid certificates to the system through

  2. Import a star certificate *.company-name-certificate to use with all applications or you can import individual certificates for each application.

  3. Add, edit, and delete certificates.

  4. Update each application's settings to use the imported certificate.

  5. Redeploy the applications.