<

Troubleshooting Certificate Error Messages on Clients

Published on
12,555 Points
5,355 Views
2 Endorsements
Last Modified:
Approved
Paranormastic
PKI Expert with over a decade dedicated to certificate & encryption key management.
We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you do?

The answer depends on what the reason for the security warning is.  Things will vary slightly depending on the browser type and version, but there should be a 'show details' area near the end of the message.  There are 3 flavors of errors that will be seen on the client end here is the paraphrased listing:

1) Name mismatch - try entering the servername portion of the URL exactly as it shows it in the certificate (click the View Certificate button in the error message box or use the gold lock next to the address bar or down in the bottom right corner to show the cert).  For example, if you were going to https://server/index.htm and it got the warning - the certificate may be for server.domain.com, so you should instead go to https://server.domain.com/index.htm and the error should go away.

2) Certificate expired or not yet valid - usually means it expired - renew the cert if it is your server, or else contact the company of that site and ask them to update it.

3) Untrusted root - if the root certificate for the site is not already in your trusted root cert store, you will need to import that.  This is common if the site is using their own CA instead of a commericial vendor, or if they had generated a self-signed certificate instead of a CA issued certificate.  To determine which way it is, view the certificate and check the Details tab and look for the Issuer field and compare that to the Subject field - if they match then it is a self-signed certificate, if they don't then it is issued from a CA.  

3a) If self-signed - Use the option to copy or export the cert to file.  To import, open the exported cert file and select to manually assign and point it to the trusted root certification authority store - you may need to click the option during importing for 'show physical stores' when manually selecting the trusted root store (particularly for Vista and 2008).

3b) If from a CA and you don't have the root cert - on the Details tab look for the Authority Information Access (AIA) listing and select that.  In the bottom part of the window should be one or more URLs to the certificate file that you can use to obtain the issuing CA's certificate.  Follow that and install the cert when prompted.  Many times there will be 2 or more tiers, so you may need to go back again and go to the Certificate Path tab and go to the top cert that doesn't have an X through it and open that up and repeat the process to find that cert's AIA pointer to its issuing cert - repeat until the root has been reached (there will normally not be an AIA for the root cert) and things should work.
2
Comment
2 Comments
 
LVL 2

Expert Comment

by:Jason Parms
One more common error – “page contains secure and nonsecure items

This error occurs, while some insecure items (such as images, frames, iframes, Flash, and JS) are being accessed on secure web pages. You can find insecure items for your web site by using this tool - https://www.ssl2buy.com/wiki/why-no-padlock/

Solutions:-

1. Replace URLs (use HTTPS instead of HTTP)

You have to require use https:// for the references on all images, iframes, Flash and JS.

Example:
<img src="https://www.yourdomain.com/abcimage.png" />

Open in new window


2. Use relative path instead of absolute path

If you are using a relative path for the references, then you will never face this error.

Absolute Path:
<img src="https://www.yourdomain.com/abcimage.png" />

Open in new window


Relative path:
<img src=" /abcimage.png" />

Open in new window

0
 
LVL 21

Expert Comment

by:Peter Hutchison
Another thing to watch out for is fake websites using fake certificates. Just because a site is encrypted using an ssl certificate mean that the site is trustworthy, it doesn't.  Check that certificate, does it come from a compromised CA, is the bit length up to date (2048 bits is required or more), and check the site using different browsers which may highlight other warnings.

http://www.zdnet.com/article/fake-ssl-certificates-pirate-web-sites/
0

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Join & Write a Comment

In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.
Watch this online video tutorial and learn the best way to reduce Outlook mailbox size using Compact Now feature of Outlook. It removes the deletes item's space from Microsoft Outlook 2016, 2013, and 2010 and compresses the PST file size. This will …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month