The browser indicates a problem with site's security certificate when logging into SSL-VPN
12/20/2019 25 People found this article helpful 405,201 Views
Description
When a user connects to a SSL-VPN appliance (SMB or E-Class), he or she may see a warning from the browser about the appliance's security certificate. It may look one similar to one of the following warnings:
Internet Explorer 5.x, 6.x warning
Internet Explorer 7.x, 8.x warning
Firefox 3.0.x warning
This error can be caused by any combination of the following factors:
- The certificate in the SSL-VPN appliance is not trusted by the browser.
- The name on the certificate does not match the name in the browsers address bar.
- The issuer is untrusted or the CA certificate is not imported into the browser.
- The certificate in the SSL-VPN appliance may be expired.
A self-signed certificate will never be a trusted certificate, unless a user instructs the browser to trust that certificate.
Web browsers are programmed to issue a warning if the above conditions are not met precisely. This security mechanism is intended to ensure end-to-end security, but often confuses people into thinking something is broken. If you are using the default self-signed certificate, this error will appear every time a web browser connects to the SSL-VPN appliance. Unless someone is performing a man in the middle attack and has hijacked your SSL-VPN appliance and its private encryption key, this warning can typically be safely ignored. The connection between your browser and the appliance will still be SSL encrypted.
If you do not want this error to happen, you will either need to purchase and install a commercially-signed SSL certificate onto the SSL-VPN appliance, or follow the suggested workarounds below. You can obtain commercially-signed certificates from a variety of vendors.
Resolution
Depending on the reason you are getting the certificate warning, here are some workarounds:
Make sure the name in the address bar matches the name on the certificate
The workaround above assumes that your certificate is trusted by the browser. For example, you'll see a warning from your browser if the subject of the certificate is the hostname of your SSL-VPN appliance, but you're accessing it by something other than that hostname. For instance, if you access the appliance by IP address, then your browser will warn you about a mismatch between the certificate's subject and the address you accessed.
Add the issuer's CA certificate to the browsers certificate list
You can configure your browser to trust the certificate being presented by performing the following steps:
Internet Explorer 5.x, 6.x:
- When you receive the certificate warning prompt click View Certificate.
- Click Install Certificate...
- Step through the following prompts, accepting the defaults, and instruct Internet Explorer to automatically store the certificate in the appropriate location.
- The final window you see will be a prompt asking you to verify the certificate's thumbprint. Click Yes.
Internet Explorer 7.x, 8.x:
- After receiving the certificate warning, click Continue to this website (not recommended).
- Next to the address bar there will be a warning about a ccertificate error. Click on this warning. A small menu will appear. Click on View Certificates.
- Click Install Certificate...
- Step through the following prompts, accepting the defaults, and instruct Internet Explorer to automatically store the certificate in the appropriate location.
- The final window you see will be a prompt asking you to verify the certificate's thumbprint. Click Yes.
Firefox 3.0.x
- After receiving the certificate warning, click Or you can add an exception.
- Click Add Exception...
- Make sure the proper address is in the Location menu and then click Get Certificate.
- Click Confirm Security Exception.
Related Articles
Categories