Hi,
So, is the first reported issue no longer happening? Please note that my previous suggestions were to be applied on the SRX only.
Assuming that the first issue was solved, my understanding is that in the PCs we need to install a cert that was previously self-signed by the SRX. See step 1 in the following doc and let me know if you followed a similar process:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB31122