From my expirience (its a little aged), I can tell you that you will get this prompt green instead of red, when the certificate is valid (matches the FQDN of the site e.g) and the cert chain is trusted by Client OS.
But you will get the prompt.
You were wondering, why you did not get the prompt again after deleting the trust fingerprint from the registry key mentioned in sk66263. I think this is because the trust is also written to trac.conf. Deobfuscate this file (I guess you know how) and you will find something like this in it:
<PARAM ccc_fingerprint="KING MOST FIVE CLOG LOP TONY LENT CAKE MAC RECK ROY GLUM"></PARAM>
This is the RfC#1751 encoded representation of the SHA-1 fingerprint of the Root-CA of the certificate used for this portal (platform portal for legacy IP-Sec-VPN blade only, Mobile Access Blade Portal for MOB). Please verify this. Sometimes, it seems to be the fingerprint from intermediate instead of root CA.
If this fingerprint changes, there is popup for your users. This means renewals of portal cert do not trigger popups for users, when the CA cert keeps the same. Of course, also CA cert expires eventually. This reduces your problem a little.
<PARAM internal_ca_fingerprint="TELL ACE RUB SANK JUNK ARE ROOT LEO ANA VOID POD MOVE"></PARAM>
This is the RfC#1751 encoded representation of the SHA-1 fingerprint of the certificate configured in SmartConsole -> IPSec-VPN .
Changing this cert does not seem to trigger a user popup. Warning: This expirience was from an environment without MOB, only Legacy IPSec-VPN blade for Remote Access with Endpoint Security VPN client.