topic Certificate error on GP access in General Topics

Certificate error on GP access

Jafar_Hussain — Mon, 05 Oct 2020 10:42:20 GMT

Dear Team,

I am facing the issue certificate error while accessing the GP portal. below is the screenshot.

Below is the troubleshooting steps:-

Generated a new self-signed certificate and apply in SSL/TLS.

Same certificate export and configure in the machine as well as browser.

Can anyone help me on this?

Clear the

Re: Certificate error on GP access

reaper — Mon, 05 Oct 2020 11:27:03 GMT

You should generate a CA certificate and then create a new (second) certitfate signed by this CA that you can use for the portal/gateway.

Then export the CA certificate and import it into the trusted sroot signing certificates store of the user

Re: Certificate error on GP access

Jafar_Hussain — Mon, 05 Oct 2020 11:29:44 GMT

@reaper

The same i have tried but still the issue is the same.

Re: Certificate error on GP access

SutareMayur — Mon, 05 Oct 2020 12:11:25 GMT

@Jafar_Hussain ,

Please check if your SSL Certificate CN and portal URL/IP are matching? It should match.

Re: Certificate error on GP access

MP18 — Mon, 05 Oct 2020 12:12:38 GMT

@Jafar_Hussain

You need to make sure that when you create certificate then certificate attributes has hostname field filled with FQDN.

As Chrome browser gives untrusted warning if hostname is not their in Certificates attribute.

Regards

Re: Certificate error on GP access

Jafar_Hussain — Mon, 05 Oct 2020 12:50:49 GMT

@SutareMayur

I have configured the URL for portal access it is matched.

Re: Certificate error on GP access

Jafar_Hussain — Mon, 05 Oct 2020 12:56:04 GMT

@MP18

I want to highlight some points here.

I have observed once i open the portal in edge and internet explorer it is working fine only for some machine.

When i open portal in chrome and firefox then i am getting error.

When i checked the certificate some time is showing certificate is OK.

When i click on root CA it is shwoing below error:-

Re: Certificate error on GP access

BPry — Mon, 05 Oct 2020 15:18:24 GMT

@Jafar_Hussain,

So it would appear that you have some clients that are successfully getting the root CA installed via whatever method you've chosen, but then other machines aren't. You need to look into why some of the machines don't trust the root CA certificate you are using and address that issue.

Re: Certificate error on GP access

aleksandar.astardzhiev — Tue, 06 Oct 2020 07:18:54 GMT

Hi @Jafar_Hussain ,

As @BPry correctly pointed out it seems that the problematic machines doesn't have the root CA properly installed. Either it was not installed at all, or it was not installed under "Trusted Root Certificates". It is common mistake when the root CA was manually installed. During the cert installation wizard you can manually select under which section to install the certificate or let the wizard choose automatically for you. However for security reasons windows will never automatically put cert into trusted root certs.

Also have in mind that Chrome, Edge and IE are using Windows certificate store, but Firefox is using separate certificate store. So it is possible that all other browsers to work properly, but to receive cert warning from Firefox. In that case you need to install the root CA in Firefox cert store as well.

Re: Certificate error on GP access

Jafar_Hussain — Sun, 18 Oct 2020 09:31:25 GMT

@aleksandar.astardzhiev

@BPry

Thanks for your email. As i explain i have configure only root CA with common name IP address and the same certificate installed in client machine trusted root certificate store.

However again i am getting the warning. the same i have checked with child certificate but not able to resolve my issue.

As per my understanding, this is a self-sign certificate from the firewall that is sometimes not trusted by the client machine so i think i need to generate CSR and sign by 3rd party which is already trusted by the client machine. i will import this certificate in firewall. might be it will fix the issue.

Share your openion.

Re: Certificate error on GP access

aleksandar.astardzhiev — Mon, 19 Oct 2020 21:10:44 GMT

Hi @Jafar_Hussain ,

Using certificated signed by public CA is probably the way to go (if you don't have internal PKI in your environment). So CSR signed by public CA will definitely solve your certificate warnings.

However the self-signed certificate should work, but the devil is in the details. I just noticed that the warning message from your original post is that the certificate common name is invalid, while you were looking at the CA (if the problem was with browser not trusting the self-signed CA, the warning would be "UNKNOWN_ISSUER". So it seem you probably have not one, but multiple issues.

There is no such think as "self-sign certificate from the firewall that is sometimes not trusted by the client machine" - it is either you have done something wrong, or you don't do something. If you still keen on understanding what is actually the problem:

1. Confirm your self-signed CA is installed in the trusted rot certificate authorities and certificate is listed as trusted when you view cert details

2. Confirm your both certs (GP and CA) are both with valid dates (start date is in the past and end date is in the future)

3. When opening the GP portal for address use what you have put in the certificate Common Name (CN). (common name invalid error could be caused by the fact that you are opening the page using the ip address in the browser, but the certificate to be configured with FQDN)