Certificate cannot be verified up to trusted certification authority

mike2401
mike2401 used Ask the Experts™
on
We have an Exagrid server (de-duplicating storage device which is running some flavor of linux) on our internal network.

Its IP address is 10.1.1.40

It issued its own self-signed certificate:  Certificate Path = "Exagrid Local Root CA \ Exagrid Local Site CA \ dev1.ourdomain.com"

When I browse to:  httpS://10.1.1.40  (or to httpS://exagrid.mydomain.com),  I get the error: "Certificate cannot be verified up to trusted certification authority"

Question: what's the best practice so that any client on our internal network can talk httpS to this internal exagrid linux server?

Should the exagrid folks provide me a certificate that I'm supposed to distribute to all the clients on our internal windows network?

Or, am I supposed to get a public certificate for exagrid.mydomain.com which would resolve to an internal 10.1.1.40 address?

Exagrid provided me a file names: cacert.pem ;  I'm not sure what to do with this.

Thanks and sorry if this is a really dumb question.

Mike
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
Commented:
self signed says it all:     the certificate tells your browser trust ME realy trust me.

Normal certificates say:   Trust me, ask my signer for it.   All up the chain of certificates.
Your system has a store of CA certificates it does trust ultimately.
If the chain ends in one of those  trusted certificates then the certificate is trusted.

You can run your own CA using f.e. QCA ( https://userbase.kde.org/QCA )  or XCA ( https://hohnstaedt.de/xca/ )
If the box support LetsEncrypt use those.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
As noci said, if you use self signed certs than no browser, email client, any code will ever trust your cert... until you upload the issuance chain into ever client.

You will then have to repeat this anytime any part of your issuance chain expires.

So... a huge amount of work... error prone... requires massive staff answering tech questions, if you have many clients where you must constantly install issuance chain certs.

Far better to just use, as noci suggested, free https://LetsEncrypt.org certs (simple or wildcard) which are accepted by every recent client... where recent means every client over past 5-10 years.

Tip: Self signed CAs use to be widely used when you had to cover 100s or 1000s of random hosts with SSL certs, where you were trying to save on the cost of certs. Those days have been gone for years now, since LetsEncrypt began providing free certs.
Top Expert 2016

Commented:
you can still connect via https with an untrusted certificate.. the browser will keep warning you though

Author

Commented:
Thanks!!!   I added the .PEM file via GPO  Computer | windows | public key policies | trusted root certif authorities.  

I decided to scope the GPO to just IT users, so I think we're good now.

Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial