Putting PA SSL decrypt certificate in other people in chrome

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Putting PA SSL decrypt certificate in other people in chrome

Cyber Elite
Cyber Elite

 

i found that my PA cert for ssl decryption is  under other people in chrome not in trusted root on one of computers.

still i am able to access websites where ssl  decryption is enabled 

 

any thoughts?

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

L7 Applicator

There are now more than one problems that lead to your situation:

  1. If the root CA cert is not in the trusted root store, then it is normal, that you are able to connect to some websites when you ignore the cert warning
  2. Websites that partly work is probably because you ignore the cert warning for the main page, but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails
  3. If you were connected once successfully (without decryption) to websites that have HSTS (https strict transport security) configured, then your browser will store this header locally. When you connect again to such a website and the HSTS entry did not time out, then as described in HSTS RFC the browser is not allowed to give you a possibility to ignore the warning --> rhe connection fails completely

View solution in original post

L7 Applicator

@MP18 wrote:

does this refer to websites where i do not get cert warning and there is no option for me to click on proceed ??


This one applies to website that show everything a little scrambled which is because the main page can load but css and javascripts, that are required for the website to show properly, cannot load as you don't see a cert warning for these other domains.

 


@MP18 wrote:

Do you refer here connecting again when ssl decryption is enabled?


Exactly

 

 

View solution in original post

5 REPLIES 5

L7 Applicator

Are you able to access any website? Does a cert warning show up or does it work as expected? Or are just the websites working where you already ignored the cert warning?

i tested some websites i can not access at all  tried few times they all have below message

i get error message 

 

privacy error

 

your connection is not private

 

cert had warning it shows for example 

 

issue to linkedin.com

 

issued by 10.1.20.1 -----------PA  cert

Your connection is not private

Attackers might be trying to steal your information from www.linkedin.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID
 
Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy
 
 
***********************************

 

then website which opens up it also has cert warning not secure 

 

issued to bmo,com

issued by 10.1.20.1

 

but webpage opens up with scrambled characters.

 

why some web sites does not open at all and some open up with not proper displays?

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

There are now more than one problems that lead to your situation:

  1. If the root CA cert is not in the trusted root store, then it is normal, that you are able to connect to some websites when you ignore the cert warning
  2. Websites that partly work is probably because you ignore the cert warning for the main page, but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails
  3. If you were connected once successfully (without decryption) to websites that have HSTS (https strict transport security) configured, then your browser will store this header locally. When you connect again to such a website and the HSTS entry did not time out, then as described in HSTS RFC the browser is not allowed to give you a possibility to ignore the warning --> rhe connection fails completely

Thanks for reply back

 

For 

 

2>Websites that partly work is probably because you ignore the cert warning for the main page, but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails.

 

For above I tested for e.g website bmo.ca i get warning 

 

This server could not prove that it is www1.bmo.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to ww  w1.bmo.com (unsafe)

for this website i ignore the warning for main page and proceed so this works fine.

This part i got it.

 

When you say but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails

 

does this refer to websites where i do not get cert warning and there is no option for me to click on proceed ??

 

3>for

 

when you connect again to such a website and the HSTS entry did not time out, then as described in HSTS RFC the browser is not allowed to give you a possibility to ignore the warning --> rhe connection fails completely

 

Do you refer here connecting again when ssl decryption is enabled?

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

@MP18 wrote:

does this refer to websites where i do not get cert warning and there is no option for me to click on proceed ??


This one applies to website that show everything a little scrambled which is because the main page can load but css and javascripts, that are required for the website to show properly, cannot load as you don't see a cert warning for these other domains.

 


@MP18 wrote:

Do you refer here connecting again when ssl decryption is enabled?


Exactly

 

 

  • 2 accepted solutions
  • 5030 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!