Error in Security Certificate warning messages (also known as SSL Certificate warnings) We have gotten a number of questions from customers asking why they are getting certificate warning messages. This page is an attempt to explain what they are, why you are seeing them, and what to do about it if you want to try fixing them yourself. Otherwise, please feel free to call us and we will walk you through the fix - it's very easy to do. To begin with, you will only get these errors on SSL-enabled pages. SSL pages always begin with "https" instead of "http". Furthermore you will not see this error on ALL of the SSL https pages that you visit. You will only see them on pages that use "self-signed certificates" SSL is used for encryption. The most common use is for websites that take credit card numbers such as online shopping or auction sites. We use it for any pages that take passwords. All that SSL does is encrypt the data transmission between the server and the web browser. It does not mean that someone looking over your shoulder cannot read your pasword in while you type. Nor does it prevent someone from stealing your mail if they get your password, or from spamming you. SSL works by the web browser using a browser certificate and a browser certificate store, and the web server using a server certificate. During the initial page load of an https page by a browser from the server, the browser checks the server certificate the server hands it against it's preprogrammed browser certificate store. If it matches a server certificate in the browser store, the browser hands it's own browser certificate back to the server, and encryption can then take place. Microsoft Internet Explorer's browser certificate store is actually the Windows operating system certificate store. You can see the certificates that come with Windows by running certmgr.msc at the command line of Windows. The certificates that are already known by the operating system are ones that companies have submitted to Microsoft for inclusion in the store and Microsoft distributes new ones via Windows Updates. Microsoft only accepts certificates that have "broad value" to be included in their updates, which basically means the company submitting the root certificate needs to be selling certificates to the general public. However, anyone can add a certificate to their own computer, and anyone can create their own certificate, and sign it. A self-signed SSL certificate is no different than a commercial certificate except that it costs nothing because instead of paying a certificate authority to sign it, it's signed by the organization that creates it. It still provides just as much encryption ability as a commercial certificate. However, because it's self-signed, it isn't in the browsers preprogrammed server certificate store. Since it's not in the store, that is why the browser generates an error. All web browser manufacturers provide a mechanism to add self-signed certificates into the browser certificate store and once this is done, the error messages will not occur. WHAT TO DO ABOUT IT This depends on the web browser as each browser has a different procedure to add in self-signed certificates. Here are some well-known browsers and how to do it: MacOS X Safari: 1. Navigate to the website you wish to get the certificate from. 2. When the 'Root certificate is not valid' sheet appears, click on the "Show Certificate" button. 3. Press and hold the OPTION key. While holding down the option key, click and drag the certificate icon to your desktop. You now have your Self Signed non-verified remote host Certificate in .pem format If this does not work then you can do the following on a PC with Internet Explorer: 1. Install the certificate to your Internet Explorer per the below instructions 2. Select Internet Options from the Tools menu in IE 3. Select the Content tab 4. Click the Certificates button 5. Click the Advanced... button and verify that the Export format is defined as "DER encoded binary...". Click OK. 6. Find the certificate you want to export in the window 7. Drag the certificate you want to export to your desktop. This creates a .DER-encoded .cer file on your desktop that you will import from. 8. Assuming the file is named "MyCert.cer", copy this file to your home directory on your Mac ( burn it to a CDROM or some such) Once you have the .pem or .cer file (let's assume it's named MyCert.cer or MyCert.pem) then Copy the file /System -> Library -> Keychains -> X509Anchors to your own Library -> Keychains. In the Terminal under the utilities menu, run the command: (for MyCert.pem) % certtool i MyCert.pem k=X509Anchors (or for MyCert.cer) % certtool i MyCert.cer k=X509Anchors d Now copy your Library -> Keychains -> X509Anchors back to /System -> Library -> Keychains. You will need to use sudo to make this work. Restart Safari and all is well. Microsoft Internet Explorer 7 and 8 (except Vista and Windows 7) 1. Navigate to the website you wish to get the certificate from. 2. When the "Error in Certificate" message appears click Continue 3. At the top of the screen a button titled "Certificate Error" appears in the address bar, click this. 4. Click View Certificate 5. Click Install Certificate 6. Click Next 7. Click the "Place all certificates in the following store" radio button, and choose the "Trusted Root Certification Authorities" store. (If you don't do this, the certificate goes in your personal store, and it isn't trusted by IE.) 8. Click Next and Finish. 9. Go back to the homepage and try accessing the SSL page again Microsoft Internet Explorer on Vista or Windows 7 1. Run IE as Administrator before following the steps above : a) Close Internet Explorer. b) Click the "Start" button, and choose "All Programs." c) Scroll the list of programs and search for Internet Explorer. d) Right click the Internet Explorer icon and choose "Run As Administrator." e) Click "Continue" in the User Account Control window to grant administrator access to Internet Explorer. f) Follow the above instructions for IE 7 & 8 Microsoft Internet Explorer 5/6 1. Navigate to the website you wish to get the certificate from. 2. When the "Security Alert" message appears click "View Certificate" 3. Click Install Certificate 4. Click Next, click Next, click Finish 5. Go back to the homepage and try accessing the SSL page again NOTE: Firefox does not use the Windows certificate store, it has it's own store that Self-Signed certificates must be installed into. You can enter an Exception for the self-signed website but you cannot import the certificate into Firefox.