I feel terribly ignorant on this subject.  Everywhere I've looked seems to be a collection of highly technical stuff and not much in the way of practical things.  I don't mind reading the technical stuff but if it only tells me how things are supposed to work, etc. etc. and not how to fix my problems then it's not all that much use.  
There must be a pony in there somewhere!!

Some things I've found are just way too technically complex for an average user.  So, while I may be a bit of an expert on some things and could probably wade through it all, I just cannot imagine that normal folks have to deal with intricate instructions and command line instructions, etc. etc.  There must be a better way  - and that's what I'm trying to find.

Cases in point:

I go to "webmail.drroofinc.com" which is hosted by linknowmedia.
I get a Certificate Error.
I told the mail service provider about it and they said that I have to "download a certificate into my browser" .. I'm not sure what that means or how to do it.

I have some newer "Cisco" RV042 routers (V03).  If I set up the management interface for https then I get the same thing.  I'm pretty sure that there's nobody I can go to to "solve" this.  I figure I have to solve it myself.

Now, sure, I can just bypass the warning but the purpose of this question is to learn how to do something better than that.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
Just to add to @multimacs comment:
-EDITED --- Sorry; @multimac did explain this -- leaving it in the comment, as the rest depend n it: - Certificates that are self-signed and certificates signed by an untrusted root are quite different things. I guess we have the same opinion on the error.

On the firewall the certificate is indeed self-signed - and as mentioned earlier - don't bother with that.

But for the webmail, the error might as well be that the certificate is from an untrusted root. This could be untrusted because it's from an internal PKI solution, or it might be that the Trusted Root Certificate, or certificate chain, isn't in your PCs Trusted Root Authority store. I've come across this several times in different Lync/Exchange installations, partiularly Comodo/Entrust/UserTrust certificates, which indeed are a trusted 3rd party is missing. To veriify this - open certificate that the website is secured with, go to details and look at certificate chain. This will tell you if the certificate is self-signed, from an internal untrusted root CA or from a 3rd party public CA - that your windows installation doesn't trust. As they say - you can downlod root certificate to your trusted authorities store and then be able to trust the certificate.

But - more importantly - if this is your webmail, make sure that is secured with a valid 3rd party certificate from a trusted CA, like thawte, DigiCert or OpenSSL.
Saying that proper trusted certificates from public CAs are only there for the CAs to get the cash from you is absolutely bs - and wrong.
google PHISHING and that will give you quite a few hints. Without a valid certificate, an attacker can easily set up fake webmail page, redirect all requeste to that page, have your users log in to that page - thus getting usernames and passwords, which he easily could use later on.
With a valid certificate - you know that the webpage is secured by someone with access to that URL, and computer

Certificates and securing login portals is essential (!)
when you get the cert error you probably have the choice to view the certificate or continue on.  choose to view the cert and then you should get the option to install.  Install the cert. let IE choose the location as this works most of the time. You should get a successful install response, once you do this you won't get the certificate error anymore.
multimacConnect With a Mentor Commented:
I am not sure how to help you?

The reason you got a warning for the certificate @  "webmail.drroofinc.com" is easy: Its self-signed, and not signed by some "trustful" certificate authority that your computer or your browser have already known before or was imported by the operating system or browser vendor. Same thing goes to your CISCO-Router.

There are now two possibilities:
a.) You accept the "not trustful" certificate. Most browsers have some 'Accept Always'-button for this.
b.) You go ahead and buy some "real" certificate e.g. for your CISCO-Router. But thats just  wasted money as long as you are the only person to connect.

Another thing to understand is the following: The kind of a SSL certification does not decide the privacy or the encryption of the connection. Its just more a hint that "Company $CA checked for $$$$ money that the domain or the host you connect is under property of company $BUYER".
Fred MarshallPrincipalAuthor Commented:
OK.  I played around a bit with IE8 and Chrome using a new RV042.
First, I had to figure out on my own that if one clicks on the "warning icon" then there MAY be some actions one can take:
e.g. on IE if one clicks on "Continue to this website"
THEN in the address bar there is a short section that says: "Certificate Error".
IF one clicks on that secton of the address bar, a popup appears that says:
"Certificate Error" and gives an option: View Certificate.
Then, depending on the OS:

In Windows XP it gives you the option to Install Certificate and you can either allow automatic selection of the "store" or you can manually select a store from a provided list.
In one case it says: "To enable trust, install this certificate in the Trusted Root Certification Authorities store.
So, I did that and there is no difference in how the browser behaves.  It's as if nothing had been done.

In Windows 7 it doesn't provide that option at all that I can tell.

Chrome doesn't appear to provide a similar option that I can tell.

All that said, while *I* can ignore warnings with perhaps reasonable judgement, that's not the case for my clients.  I don't want to tell them to ignore a warning from an outside website for the obvious reasons.  So, I need the warning to go away using some up-front judgement and preparation.

If I didn't say it, I have not been able to get rid of the warning on either the RV042 or the webmail site on any of the three computers I have here in front of me.  Except for the XP/Win7 difference and the IE/Chrome differences - they all behave the same.
Fred MarshallPrincipalAuthor Commented:
I never did figure out how to get the browser to "accept" the certificates once and for all....
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.