I'm working in a lab environment. I have a Windows-based CA and an SSL-secured website on IIS (on the same machine) with a cert issues from that CA.
When I browse to this site in Firefox using SSL, I get an error "The certificate is not trusted because the issuer certificate is unknown."
If I go to Tools -> Options -> Advanced -> Certificates -> View Certificates -> Authorities, my CA's cert is in the list. If I double-click that certificate, I get "Could not verify this certificate because the issuer is unknown."
Isn't the whole point of adding a CA's cert into the Authorities list to tell Firefox, "Hey... you know this CA, go ahead and trust the certs that it issues?"
How do I fix this problem?
Firefox is (most in his Desktop versions) very special in checking certificates. Where Google Chrome meets the root certificate, Firefox needs the FULL chain up to the root certificate in your crt file. And don't forget to prefix https:// to request!
Related
I'm trying to record a test, but when I install my certificate by Jmeter in the chrome, when I access the site that I want to record, chrome return me this:
But my certificate that I installed before access the site is 100% valid:
Other points:
I already made the Jmeter HTTPS proxy route configuration;
I already made the Windows/Browser proxy route configuration;
I installed the certificate correctly.
I don't know why my browser is not looking for the valid certificate and even without any certificate installed, still looks to this invalid certificate
If this is blocking you please install the certificate on Firefox and proceed with recording after setting the proxy.
Open Firefox
Type about:prefrences in the address bar
Search for certificates in search box
Click on View Certificate button
Select Authorities tab
Click on Import button
Select the certificate from your JMeter/bin folder
Check the first option in the popup (Trust CA to identify the websites)
Click OK
Chrome warns you because JMeter's certificate is self-signed and it cannot be validated against trusted CA
The options are in:
Ignore this error, the options are in:
Click "Proceed to unsafe" (if it's available)
Launch Chrome with --ignore-certificate-errors command-line argument:
type badidea anywhere at the page
Add JMeter's self-signed certificate to Windows Trusted Root Certification Authorities:
Mac OSX instructions for this were nowhere to be found.
On a Mac, just import "the root cert" from the Jmeter bin directory and into your "Keychain Access" tool. If you have to, you can use a tool called "Keystore Explorer" to convert the .crt file to a .cer before you do that import.
Then, you have to mark the cert trusted like this:
Hi I have recently activated SSL on my domain however Safari, Edge and firefox are saying my site is insecure edge is showing this message:
The hostname in the website’s security certificate differs from the website you are trying to visit.
Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID
However chrome seems to have no issues displaying the site
I have looked up my SSL certificate and it says this (MyDomain.co.uk I have changed from my real domain):
Certificate does not match name MyDomain.co.uk
Subject hostinger.com Valid from 20/Jun/2017 to 13/Mar/2018
Issuer COMODO RSA Domain Validation Secure Server CA
Subject COMODO RSA Domain Validation Secure Server CA Valid from
12/Feb/2014 to 11/Feb/2029 Issuer COMODO RSA Certification Authority
Subject COMODO RSA Certification Authority Valid from 30/May/2000 to
30/May/2020 Issuer AddTrust External CA Root
Could this be the problem?
And how do I resolve this issue?
Thanks in advance
I added self signed certificate in .pem format in Firefox under Authorities tab. When I access site, Firefox throws error
mozilla_pkix_error_ca_cert_used_as_end_entity
It says that the certificate is not trusted because it is self signed. What can be issue?
If you add the certificate as authority then it should be used as authority, i.e. for signing other certificates. If you instead use it as a server certificate (i.e. as end entity and not authority) then it should not be added as authority to firefox but instead as server certificate. This will be automatically done if the certificate is not known and you click through the certificate error messages when connecting to your site and accept the sites certificate permanently.
You should also make sure that your certificates contains the necessary key purpose to be used as a server certificate.
Is there a way to change the Fiddler's root certificate. I want it for a scenario when the client app uses certificate pinning and I have access to the keystore, whose certificate is being trusted by the client app.
I think you're asking "Can I change the certificate Fiddler uses for a particular site" rather than the root certificate, which is used for all sites.
Yes, if you really do have the private key for the certificate, you can configure Fiddler to use it. Inside Fiddler's Rules > Customize Rules > OnBoot function, you can call either:
CertMaker.StoreCert("example.com", certMyCert);
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
The first call requires that your X509Certificate2 variable (certMyCert in this case) refer to a certificate that is already installed in your computer's Certificate Manager (certmgr.msc), so its private key can be found, while the second allows you to specify a PFX file from disk.
I have my own SSL for development purposes. Normally when IE would give you the WARNING you could simply install the certificate, resart IE and go back to the server without warning. In IE8 I cannot avoid the warning. I have installed the certificate into every single store without success using both the MMC and cert manager in IE8. WHAT AM I MISSING?!
Add the site to trusted sites. Then you will have the option to install the certificate after clicking the Certificate error box and then View Certificate.
Which certificate are you trying to install?
You must install the ROOT certificate, not the END-ENTITY certificate which is signed by that self-signed root. It should go in the Trusted Root Certification authorities store.
Make sure your cert's CommonName matches the domain name. For example, if you website will be accessed at 'https://www.example.com', CommonName should be 'www.example.com'. If this doesn't match, nothing you do in the second and third step will matter.
Run IE8 in administrator mode and navigate to your HTTPS URL. Continue beyond warning, then view the site's cert to access the 'Install Certificate' button.
Add the cert to Trusted Root CA Certificates.
Restart IE8 in protected mode then navigate to your HTTPS URL again. All warnings should be gone.
I could not install the certificate from IE. I had to finally use MMC (Management Console). Instructions here: http://technet.microsoft.com/en-us/library/cc757688(v=ws.10).aspx