[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


SSL Certificate fails for users outside the firewall

Posted on 2005-04-06
Medium Priority
Last Modified: 2010-08-05
I recently setup a Microsoft Certifiate server and installed a certificate on one of my websites. My certificate server is not available outside the firewall. Everything appears to be setup fine on the server. The client gets the following error message:

Web Site Certified by an Unknown Authority
Unable to verify the identity of host.domain.com as a trusted site
Possible reasons for this error:
- Your browser does not recognize the Certifiate Authority that issued the site's certificate
- The site's certificate is incomplete due to a server misconfiguration
- You are connected to a site pretending to be host.domain.com, possibly to obtain your confidential information.

Do I need to open certain incoming ports for my Certificate Server?
Question by:periker

Expert Comment

ID: 13720122
instead of installing the specific certificate "host.domain.com", you could create a wildcard certificate "*.domain.com" which would cover various websites under domain.com.  Other then that, did you install the certificate on the computer in question(when the warning pops up, follow the 'install' button into a trusted folder).
LVL 104

Accepted Solution

Sembee earned 200 total points
ID: 13721279
That is a standard error when you are using home grown certificates.

Certificates are based on trust - the organisation issuing the certificate is trusted by the web browser to confirm that the server is who it says it is. This trust is built in.

Your certificate and certificate server is not in the list of trusted organisations to issue a certificate - so the browser flags this as a security issue. Good job too otherwise the phishing scams would have a much higher success rate.

Personally I have given up issuing my own certificates other than in the lab. I think home grown certificates look amateurish and show that you aren't taking security seriously.
Instead I purchase a certificate, usually from RapidSSL. For most purposes their StarterSSL is fine. Obviously for eCommerce I would cough up for a Verisign certificate.

This avoids having to install certificates on the machines, or telling your users to ignore the warning (which is a dangerous thing to do)


Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Integration Management Part 2

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question