[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Troubleshooting Certificate Error Messages on Clients

Published on
12,660 Points
2 Endorsements
Last Modified:
PKI Expert with over a decade dedicated to certificate & encryption key management.
We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you do?

The answer depends on what the reason for the security warning is.  Things will vary slightly depending on the browser type and version, but there should be a 'show details' area near the end of the message.  There are 3 flavors of errors that will be seen on the client end here is the paraphrased listing:

1) Name mismatch - try entering the servername portion of the URL exactly as it shows it in the certificate (click the View Certificate button in the error message box or use the gold lock next to the address bar or down in the bottom right corner to show the cert).  For example, if you were going to https://server/index.htm and it got the warning - the certificate may be for server.domain.com, so you should instead go to https://server.domain.com/index.htm and the error should go away.

2) Certificate expired or not yet valid - usually means it expired - renew the cert if it is your server, or else contact the company of that site and ask them to update it.

3) Untrusted root - if the root certificate for the site is not already in your trusted root cert store, you will need to import that.  This is common if the site is using their own CA instead of a commericial vendor, or if they had generated a self-signed certificate instead of a CA issued certificate.  To determine which way it is, view the certificate and check the Details tab and look for the Issuer field and compare that to the Subject field - if they match then it is a self-signed certificate, if they don't then it is issued from a CA.  

3a) If self-signed - Use the option to copy or export the cert to file.  To import, open the exported cert file and select to manually assign and point it to the trusted root certification authority store - you may need to click the option during importing for 'show physical stores' when manually selecting the trusted root store (particularly for Vista and 2008).

3b) If from a CA and you don't have the root cert - on the Details tab look for the Authority Information Access (AIA) listing and select that.  In the bottom part of the window should be one or more URLs to the certificate file that you can use to obtain the issuing CA's certificate.  Follow that and install the cert when prompted.  Many times there will be 2 or more tiers, so you may need to go back again and go to the Certificate Path tab and go to the top cert that doesn't have an X through it and open that up and repeat the process to find that cert's AIA pointer to its issuing cert - repeat until the root has been reached (there will normally not be an AIA for the root cert) and things should work.

Expert Comment

by:Jason Parms
One more common error – “page contains secure and nonsecure items

This error occurs, while some insecure items (such as images, frames, iframes, Flash, and JS) are being accessed on secure web pages. You can find insecure items for your web site by using this tool - https://www.ssl2buy.com/wiki/why-no-padlock/


1. Replace URLs (use HTTPS instead of HTTP)

You have to require use https:// for the references on all images, iframes, Flash and JS.

<img src="https://www.yourdomain.com/abcimage.png" />

Open in new window

2. Use relative path instead of absolute path

If you are using a relative path for the references, then you will never face this error.

Absolute Path:
<img src="https://www.yourdomain.com/abcimage.png" />

Open in new window

Relative path:
<img src=" /abcimage.png" />

Open in new window

LVL 22

Expert Comment

by:Peter Hutchison
Another thing to watch out for is fake websites using fake certificates. Just because a site is encrypted using an ssl certificate mean that the site is trustworthy, it doesn't.  Check that certificate, does it come from a compromised CA, is the bit length up to date (2048 bits is required or more), and check the site using different browsers which may highlight other warnings.


Featured Post

Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Join & Write a Comment

Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…
Key to your CPU's ability to stay cool is to use the right amount of thermal paste and apply it correctly. In other words you want as much thermal conductivity between CPU and the cooling block. Use a quality thermal paste and apply it in a manner…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month