Troubleshooting Certificate Error Messages on Clients

Published on
12,823 Points
2 Endorsements
Last Modified:
PKI Expert with over a decade dedicated to certificate & encryption key management.
We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you do?

The answer depends on what the reason for the security warning is.  Things will vary slightly depending on the browser type and version, but there should be a 'show details' area near the end of the message.  There are 3 flavors of errors that will be seen on the client end here is the paraphrased listing:

1) Name mismatch - try entering the servername portion of the URL exactly as it shows it in the certificate (click the View Certificate button in the error message box or use the gold lock next to the address bar or down in the bottom right corner to show the cert).  For example, if you were going to https://server/index.htm and it got the warning - the certificate may be for server.domain.com, so you should instead go to https://server.domain.com/index.htm and the error should go away.

2) Certificate expired or not yet valid - usually means it expired - renew the cert if it is your server, or else contact the company of that site and ask them to update it.

3) Untrusted root - if the root certificate for the site is not already in your trusted root cert store, you will need to import that.  This is common if the site is using their own CA instead of a commericial vendor, or if they had generated a self-signed certificate instead of a CA issued certificate.  To determine which way it is, view the certificate and check the Details tab and look for the Issuer field and compare that to the Subject field - if they match then it is a self-signed certificate, if they don't then it is issued from a CA.  

3a) If self-signed - Use the option to copy or export the cert to file.  To import, open the exported cert file and select to manually assign and point it to the trusted root certification authority store - you may need to click the option during importing for 'show physical stores' when manually selecting the trusted root store (particularly for Vista and 2008).

3b) If from a CA and you don't have the root cert - on the Details tab look for the Authority Information Access (AIA) listing and select that.  In the bottom part of the window should be one or more URLs to the certificate file that you can use to obtain the issuing CA's certificate.  Follow that and install the cert when prompted.  Many times there will be 2 or more tiers, so you may need to go back again and go to the Certificate Path tab and go to the top cert that doesn't have an X through it and open that up and repeat the process to find that cert's AIA pointer to its issuing cert - repeat until the root has been reached (there will normally not be an AIA for the root cert) and things should work.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free