Error in Security Certificate warning messages (also known as SSL Certificate warnings) We have gotten a number of questions from customers asking why they are getting certificate warning messages. This page is an attempt to explain what they are, why you are seeing them, and what to do about it if you want to try fixing them yourself. Otherwise, please feel free to call us at 503-738-3844 and we will walk you through the fix - it's very easy to do. To begin with, you will only get these errors on SSL-enabled pages. SSL pages always begin with "https" instead of "http". Furthermore you will not see this error on ALL of the SSL https pages that you visit. You will only see them on pages that use "self-signed certificates" SSL is used for encryption. The most common use is for websites that take credit card numbers such as online shopping or auction sites. We use it for any pages that take passwords. All that SSL does is encrypt the data transmission between the server and the web browser. It does not mean that someone looking over your shoulder cannot read your pasword in while you type. Nor does it prevent someone from stealing your mail if they get your password, or from spamming you. SSL works by the web browser using a browser certificate and a browser certificate store, and the web server using a server certificate. During the initial page load of an https page by a browser from the server, the browser checks the server certificate the server hands it against it's preprogrammed browser certificate store. If it matches a server certificate in the browser store, the browser hands it's own browser certificate back to the server, and encryption can then take place. In order to get a certificate into the preprogrammed browser store the answer is simple. You pay money to the makers of the web browser (ie: Microsoft) and the cost is staggering. In fact this is one of the principle ways that Microsoft pays for web browser development, and is why the Microsoft web browser is a free download. There are only a handful of companies that pay these fees to Microsoft. These companies (like Verisign) then recoup these fees by selling child certificates to commercial websites that use them for taking credit card numbers. These commercial sites must pay renewal fees yearly and for large sites they are quite steep. While it may seem like a bit of a scam in that the entire SSL industry is locked into paying fees to the web browser manufacturers, the system is actually not a bad system for e-commerce websites. Where it falls down though is when the site just wants to use SSL for something minor - like protecting e-mail - where it isn't cost-effective to pay the fees for a commercial certificate. That is where self-signed certificates come in. A self-signed SSL certificate is no different than a commercial certificate except that it costs nothing because instead of paying a certificate authority to sign it, it's signed by the organization that creates it. It still provides just as much encryption ability as a commercial certificate. However, because it's self-signed, it isn't in the browsers preprogrammed server certificate store. Since it's not in the store, that is why the browser generates an error. All web browser manufacturers provide a mechanism to add self-signed certificates into the browser certificate store and once this is done, the error messages will not occur. WHAT TO DO ABOUT IT This depends on the web browser as each browser has a different procedure to add in self-signed certificates. Here are some well-known browsers and how to do it: MacOS X Safari: 1. Navigate to the website you wish to get the certificate from. 2. When the 'Root certificate is not valid' sheet appears, click on the "Show Certificate" button. 3. Press and hold the OPTION key. While holding down the option key, click and drag the certificate icon to your desktop. You now have your Self Signed non-verified remote host Certificate in .pem format If this does not work then you can do the following on a PC with Internet Explorer: 1. Install the certificate to your Internet Explorer per the below instructions 2. Select Internet Options from the Tools menu in IE 3. Select the Content tab 4. Click the Certificates button 5. Click the Advanced... button and verify that the Export format is defined as "DER encoded binary...". Click OK. 6. Find the certificate you want to export in the window 7. Drag the certificate you want to export to your desktop. This creates a .DER-encoded .cer file on your desktop that you will import from. 8. Assuming the file is named "MyCert.cer", copy this file to your home directory on your Mac ( burn it to a CDROM or some such) Once you have the .pem or .cer file (let's assume it's named MyCert.cer or MyCert.pem) then Copy the file /System -> Library -> Keychains -> X509Anchors to your own Library -> Keychains. In the Terminal under the utilities menu, run the command: (for MyCert.pem) % certtool i MyCert.pem k=X509Anchors (or for MyCert.cer) % certtool i MyCert.cer k=X509Anchors d Now copy your Library -> Keychains -> X509Anchors back to /System -> Library -> Keychains. You will need to use sudo to make this work. Restart Safari and all is well. Microsoft Internet Explorer 7 1. Navigate to the website you wish to get the certificate from. 2. When the "Error in Certificate" message appears click Continue 3. At the top of the screen a button titled "Certificate Error" appears in the address bar, click this. 4. Click View Certificate 5. Click Install Certificate 6. Click Next 7. Click the "Place all certificates in the following store" radio button, and choose the "Trusted Root Certification Authorities" store. (If you don't do this, the certificate goes in your personal store, and it isn't trusted by IE.) 8. Click Next and Finish. 9. Go back to the homepage and try accessing the SSL page again Microsoft Internet Explorer 5/6 1. Navigate to the website you wish to get the certificate from. 2. When the "Security Alert" message appears click "View Certificate" 3. Click Install Certificate 4. Click Next, click Next, click Finish 5. Go back to the homepage and try accessing the SSL page again