SSL Certificate Error

We are in a web restricted network. We are only able to access certain web pages from the network. One of the websites that we visit is a https page. we are getting a certificate error message when we visit the https page. it works fine if we disable the web filter. is there any way to find out what we need to add to our filter so we dont get the certificate error when accessing the page?

the certificate is Certification Authority (2048)

*we've added but is still not working
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent DyerIT Security Analyst SeniorCommented:
But..  That is not good enough.

You need to open the DNS or IP through your networking from your internal to the external networking (Intranet to Internet).


That is because your certificate is probably expired or is not a trusted/authorized on the server.  For instance I purchased a UCC cert for out exchange server to utilize OWA and Outlook anywhere.  Check your Server and see if it is a Self-Signed certificate and if its expired
schang626Author Commented:
I'm not sure what you mean. can you explain it in details? and steps to get it to work? thanks.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Paul MacDonaldDirector, Information SystemsCommented:
When you say you've "added entrust", are you saying you believe your web filter allows you access to that domain?  You might want to get in touch with them and see if their CRL is hosted elsewhere or under another domain name.
schang626Author Commented:
we dont have a web server. we are accessing a bank's web page.
Just to confirm:

- You are attempting to visit a bank's site [can we know the URL of that site to look at the certificate?]
- You get a certificate error [what is that exact error?]
- You turn off your web filter, the error goes away [what web filter are you using - is this a 3rd party device on your network, or software installed on the client machines?]

My initial guess is that perhaps you got the cert errors in your browsers all along, but at one time just stored an exception on the client machine so that it doesn't hassle you every time.  Then you added a new web content filter device which isn't having any of that.  Am I close?
Kent DyerIT Security Analyst SeniorCommented:
Like has been said before..  You cert is probably expired or the banks is expired.  Grab a copy from the bank and look at the expiration and install to your workstation as needed..


Hendrik WieseInformation Security ManagerCommented:
You would have to add the bank url including the https if you can or just the entire bank url with a * at the beginning and end of the filter.

Try it and let me know if it works?
schang626Author Commented: is the website. I noticed that it happening on more than 1 https web page but not all of them.
we are using a fortinet router with built in web filter

we had * at the begining of the filter so that's not it. we can still access the page but with a certificate warning.  
schang626Author Commented:
td has VeriSign CA. Entrust was for another HTTPS website.
Are you saying if you disable the web filter on the Fortinet router, you do not get the certificate warnings in your web browser???

Are you accessing the site by name "" or ""?
schang626Author Commented:
yes when we disable the web filter we do not get the warning in the web browser. after we turned the filter back on, the testing machine doesn't get the warning also. However we do not want to disable the web filter in our work environment. I'm assuming something is being block by the filter.

we are accessing
the testing machine doesn't get the warning also

So are you saying that you turn the filter off, use the testing machine to go to the site, and store that certificate, then turn the filter back on, and the testing machine works fine after that, even with the filter enabled?
schang626Author Commented:
Then something is not working properly with your web filter - you should escalate to the vendor directly.  Some part of the stream is being interrupted in a way that the browser thinks its seeing an invalid certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kerem ERSOYPresidentCommented:

It seems to me that your Web Filter is acting on your behalf and acts as a Man-In-The-Middle gateway as we say. This means that it is intercepting the SSL traffic. It is sending its own self signed certificate to you. Then encrypts the traffic to be able to inspect it. After checking the contents it encrypts again with the bank's certificate and communicates with it using the data that it decrypts from your traffic.

Most commercial Web Proxies do that. This is because it wants to inspect the SSL traffic. Normally what you would do is to follow instructions of your Web Filter vendor and either add its root signing certificate in your individual system "Trusted Root" certificates. In corporate environments this is achieved by adding a policy in the AD and embedding the certificate so that every ad user will get a copy of it through policy application.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.