Trust Warning

When connecting to a new server, KeePass will prompt to confirm Trust in this new server. Once a secure connection has been properly established this message should not display again, except in the case of configuration changes.


Related topic:

SSL Policy Errors

Repeated Warnings

If you keep seeing repeated Trust Warnings each time you open KeePass, but not with the web client, you may have a problem with the certificate on your workstation. Here are the most common reasons:

Follow these steps:

Certificate Store Locations

If your Certificate is properly installed on the workstation, it should be trusted because it will be stored in the Certificate Store.

KeePass for Pleasant client saves this in the Certificate Store:

KeePass for Pleasant client also looks in this location in the Certificate Store:

On the Password Server machine, this certificate is placed in the Certificate Store:

The Certificate Store can be opened with:

Viewing Certificates from the Browser

To view the details of your certificates and check them for errors, it's possible to check them with your browser:

In Chrome:

In Firefox:

Standard Certificate Checks

  1. (Client-Server Connections) Test if other connections have a problem:
    • Connecting to our private free-to-use Demo Server, OR,
    • Connecting using a mobile device with a which has the same certificate, and which has connection access to the Password server to see if the mobile app / browser can connect successfully
  2. Check that the Certificates are stored in the Certificate Store in the proper locations
  3. Check that the Certificates have not expired
  4. Check that the Certificate "Issued To" exactly matches the server location address
  5. Check that the Certificate "Issuer" information is correct
  6. Check if the SAN field should be included
  7. Check that the certificate has a trusted root Certificate Authority (CA) - import that certificate into the Trusted Root CA location
  8. Check the CRL Distribution Point information is still valid
  9. Check that the Certificate is not using an old SHA1 signature hash, and is properly switched to SHA256 / SHA512

If there a Certificate problem remains, continue on to the more advanced checks below.

Validate Certificates with CertUtil

You may wish to validate your certificate using a utility such as CertUtil or DigiCertUtil.

This command line utility can provide information about the store certificate(s), with simple commands such as:

Revocation Status Checks

Beginning with the Root Certificate, the Certificate chain is validated, looking for any revocation statuses on the certificates. In the future, Password Server will provide these specific error statuses.

Here is a full list of validation items for revocation statuses:

  1. Chained certificates may have expired or are not yet in effect
  2. The Certificate may not have been issued for current use
  3. Invalid name, constraints, or policy
  4. The Certificate Authority (CA) may no longer be trusted
  5. Root Revocation may be unknown when determining certificate verification
  6. The Certificate Authority Revocation may not be specified
  7. The End Certificate (i.e. the user certificate) revocation is unknown
  8. The Certificate Trust List (CTL) signer revocation may not be unknown
  9. The Certificate Trust List (CTL) may not be valid or is expired
  10. Together the CA (Certificate Authority) certificate and the issued certificate must have nested validity periods