SSL Certificate Error

We are in a web restricted network. We are only able to access certain web pages from the network. One of the websites that we visit is a https page. we are getting a certificate error message when we visit the https page. it works fine if we disable the web filter. is there any way to find out what we need to add to our filter so we dont get the certificate error when accessing the page?

the certificate is Entrust.net Certification Authority (2048)

*we've added entrust.net/entrust.com but is still not working
LVL 1
schang626Asked:
Who is Participating?
 
xtermCommented:
Then something is not working properly with your web filter - you should escalate to the vendor directly.  Some part of the stream is being interrupted in a way that the browser thinks its seeing an invalid certificate.
0
 
Kent DyerIT Security Analyst SeniorCommented:
But..  That is not good enough.

You need to open the DNS or IP through your networking from your internal to the external networking (Intranet to Internet).

HTH,

Kent
0
 
uescompCommented:
That is because your certificate is probably expired or is not a trusted/authorized on the server.  For instance I purchased a UCC cert for out exchange server to utilize OWA and Outlook anywhere.  Check your Server and see if it is a Self-Signed certificate and if its expired
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
schang626Author Commented:
I'm not sure what you mean. can you explain it in details? and steps to get it to work? thanks.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
When you say you've "added entrust", are you saying you believe your web filter allows you access to that domain?  You might want to get in touch with them and see if their CRL is hosted elsewhere or under another domain name.
0
 
schang626Author Commented:
we dont have a web server. we are accessing a bank's web page.
0
 
xtermCommented:
Just to confirm:

- You are attempting to visit a bank's site [can we know the URL of that site to look at the certificate?]
- You get a certificate error [what is that exact error?]
- You turn off your web filter, the error goes away [what web filter are you using - is this a 3rd party device on your network, or software installed on the client machines?]

My initial guess is that perhaps you got the cert errors in your browsers all along, but at one time just stored an exception on the client machine so that it doesn't hassle you every time.  Then you added a new web content filter device which isn't having any of that.  Am I close?
0
 
Kent DyerIT Security Analyst SeniorCommented:
Like has been said before..  You cert is probably expired or the banks is expired.  Grab a copy from the bank and look at the expiration and install to your workstation as needed..

HTH,

Kent
0
 
Hendrik WieseInformation Security ManagerCommented:
You would have to add the bank url including the https if you can or just the entire bank url with a * at the beginning and end of the filter.

Try it and let me know if it works?
0
 
schang626Author Commented:
tdcanadatrust.com is the website. I noticed that it happening on more than 1 https web page but not all of them.
we are using a fortinet router with built in web filter

we had * at the begining of the filter so that's not it. we can still access the page but with a certificate warning.  
Capture1.JPG
0
 
schang626Author Commented:
td has VeriSign CA. Entrust was for another HTTPS website.
0
 
xtermCommented:
Are you saying if you disable the web filter on the Fortinet router, you do not get the certificate warnings in your web browser???

Are you accessing the site by name "tdcanadatrust.com" or "www.tdcanadatrust.com"?
0
 
schang626Author Commented:
yes when we disable the web filter we do not get the warning in the web browser. after we turned the filter back on, the testing machine doesn't get the warning also. However we do not want to disable the web filter in our work environment. I'm assuming something is being block by the filter.

we are accessing www.tdcanadatrust.com
0
 
xtermCommented:
the testing machine doesn't get the warning also

So are you saying that you turn the filter off, use the testing machine to go to the site, and store that certificate, then turn the filter back on, and the testing machine works fine after that, even with the filter enabled?
0
 
schang626Author Commented:
yes
0
 
Kerem ERSOYPresidentCommented:
Hi,

It seems to me that your Web Filter is acting on your behalf and acts as a Man-In-The-Middle gateway as we say. This means that it is intercepting the SSL traffic. It is sending its own self signed certificate to you. Then encrypts the traffic to be able to inspect it. After checking the contents it encrypts again with the bank's certificate and communicates with it using the data that it decrypts from your traffic.

Most commercial Web Proxies do that. This is because it wants to inspect the SSL traffic. Normally what you would do is to follow instructions of your Web Filter vendor and either add its root signing certificate in your individual system "Trusted Root" certificates. In corporate environments this is achieved by adding a policy in the AD and embedding the certificate so that every ad user will get a copy of it through policy application.


Cheers,
K.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.