Internet Explorer – ‘There is a problem with this website’s security certificate’

KB ID 0000994 

Problem

While browsing to a website with an https:// address you may come across the following error;

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority

and/or

The security certificate presented by this website was issued for a different website address.

Security certificate problems may indicate an attempt to fool you or intercept data you send to the server.

We recommend that you close this webpage and do not continue to this Web site.

Solution

Before you proceed: Most of the time, if you see this error a LOT, the date and time are probably set incorrectly on your computer.

This may look like a very scary error and the default action, (from the little green tick option) is NOT to proceed. But let’s look at this error sensibly. If you are on a website and you have your credit card out ready to buy something, STOP! Or you are about to enter some personal details into something then again STOP!

However if you are going to a website that your IT department has told you to go to for something (email access, or a corporate website, etc) then click the RED option, Continue to this website (not recommended).

Why are you seeing this error?

Well it’s to do with the digital certificate this website is presenting to your browser. If you ever shopped online you may have been told to look for the small padlock to make sure the site is secure.

That’s because that website is presenting you with a certificate and you ‘TRUST’ that certificate. If there was a problem with the certificate, and you didn’t trust it you would be presented with the error above.

OK So What Is a Certificate?

As far as web browsing is concerned a Digital Certificate does two things;

1. Encryption: It makes sure the information exchanged between your browser, and the server you are talking to is encrypted. This will happen if you trust the certificate or not.

2. Identity: It is used to prove, that the server you are talking to is who they say they are.

The error you are seeing is related to Identity, this DOES NOT necessarily mean the site is a fake, (but if your unsure let’s tread carefully). On the original error above it’s telling us two things;

The security certificate presented by this website was not issued by a trusted certificate authority

This means your computer does not trust the CA (Certification Authority) that created and issued this certificate. Anyone can setup a CA, (have a search on this site I’ve set them up for Exchange Email server VPNs and a ton of other reasons). These certificates are usually referred to as ‘Self Signed’. So if I (or anyone else) sets up a CA, and issues a certificate your browser will not trust it. Without a lengthy and boring description of how PKI works, you trust every CA that you have a ‘Trusted CA Root Certificate’ for. Once you have this you will trust every certificate issued by that CA.

To prove it let’s inspect the PayPal example above, and take a look at the certificate it’s presenting.

This certificate is trusted because;

1. Issued to: This name MUST match the URL you typed in the browser.*

2. Issued By: The people who signed and issued it, we trust (VeriSign).

3. Valid From: It is in date, (certificates expire). So if the date and time are very wrong on your computer, you will see loads of these errors!

*Note: It is possible to add more names to a certificate in another section called Subject Alternative Name (SAN), but these are NOT generally used for web sites.

So Who Do We Trust?

Your PC comes ‘pre-loaded’ with a bunch of trusted CA certificates, which get updated and renewed periodically. If you want to see them do the following;

Note: You need to be a computer administrator to do this. If you are NOT, then in IE Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities. You will see the same thing.

1. Windows Key +R > mmc {Enter}.

2. File > Add/Remove Snap-in > Certificates > Add.

3. Computer Account > Next > Local Computer > Finish > OK.

4. Expand Certificates (Local Computer) > Trusted Root Certificates > Certificates > Down near the bottom you while see the VeriSign CA certificates that you trust.

To Summarise, The PayPal website works (without an error) because;

1. You Trust the CA that issued its certificate.

2. The ‘Name’ on the certificate matches the URL you typed in the browser. If it didn’t we would see, (as in our first error).

The security certificate presented by this website was issued for a different website address.

3. The certificate that the website presents is in date.

If any of these things were not correct you would see the error ‘There is a problem with this website’s security certificate’.

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA 5500 – Using a Third Party Digital Certificate

(For Identification, AnyConnect, and SSL VPN)

KB ID 0000694

Problem

A client asked me how to do this, so off I went to the test bench to work it out.

Note: I’m this example In going to submit the request to, and issue the certificate from, my own windows domain certificate authority, you would send your request to a third party certificate authority, here’s a direct link to the certificate type you require. To use your own CA every client connecting to the ASA would need to trust this CA.

Solution

Certificates are date specific, so we need to make sure your firewall knows the correct date and time.

1. Connect to the ASA via ASDM > Configuration > Device Setup > System Time > Set the time and time zone correctly.

Note: As shown, from command line simply enter “show clock”.

2. Configuration > Device Management > Certificate Management > Identity Certificates > Add > New > Supply a key pair name > Generate Now.

Note: If using Digicert change the Key Size to 2048 or you will see this error, when you attempt to get your certificate.

Something is wrong
The CSR uses an unsupported key size, please generate a new CSR with a key size of at least 2048 bits
.

3. Select > Set each attribute, and add it one by one (as shown) > OK.

4. Advanced > Set the FQDN to the SAME name you entered for the CN in step 3 > OK > Add Certificate.

5. Choose a location to save the certificate request.

6. Locate and open the certificate request and it should look something like this.

Note: This is the information your certificate vendor will require.

7. Once your request had been processed the certification authority should send you a certificate. (Note: some vendors may send you a text file that you need to rename from filename.txt to filename.cer before it will look like this).

8. With the certificate open (as above) > Certificate path > Select the the Issuing Certificate Authority > Copy to File.

Note: You need to import the root certificates, and depending on the vendor, any intermediate certificates, I’ve shown an example from two major vendors to illustrate.

9. Select “Base-64 encoded…” > Next.

10. Save the cert somewhere you can find it.

11. Open it with notepad, and it should look like this > Select ALL the text.

12. Back at the ASDM > Configuration > Device Management > Certificate Management > CA Certificates > Add > Paste certificate in PEM format > Paste in the text > Install Certificate.

13. Repeat the process for any other RootCA or Intermediate Certificates. Then you will need to go back to step 8 and export the web certificate itself, (i.e. in this case select vpn.petenetlive.net and export that to file, and copy that from notepad to the clipboard).

14. Back in the ASDM this time you will need to install the Identity Certificate, (this is the one you paid for!) > Select the pending request from earlier > Install > Paste in the text > Install Certificate > Apply.

15. To enable the certificate on the outside interface > Configuration > Device Management > Advanced > SSL Settings > outside > Edit > Select the new one from the list > OK > Apply.

16. Note: If you were configuring your AnyConnect VPN’s later this is the point in the setup, where you would select the new certificate.

17. Make sure you can resolve the name that’s on the CN of your certificate and you can reach it from a client machine.

18. Now you should be able to connect without certificate warnings.

19. Don’t forget to save the settings on your ASA (File > Save Running Configuration to Flash).

Related Articles, References, Credits, or External Links

Securing Cisco SSL VPN’s with Certificates

Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)