Trusting a self-signed certificate in Windows

All good SSL certificates should come from a well-known certification authority – right? Not necessarily (as Alun Jones explains in defence of the self-signed certificate).

I have a number of devices at home that I access over HTTPS and for which the certificates are not signed by Verisign, Thawte, or any of the other common providers. And, whilst I could get a free or inexpensive certificate for these devices, why bother when only I need to access them – and I do trust the self-signed cert!

A case in point is the administration page for my NetGear ReadyNAS – this post describes how I got around it with Internet Explorer (IE) but the principle is the same for any self-signed certificate.

First of all, I added the address to my trusted sites list. As the ReadyNAS FAQ describes, this is necessary on Windows Vista in order to present the option to install the certificate and the same applies on my Windows Server 2008 system. Adding the site to the trusted sites list won’t stop IE from blocking navigation though, telling me that:

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificates problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Fair enough – but I do trust this site, so I clicked the link to continue to the website regardless of Microsoft’s warning. So, IE gave me another security warning:

Security Warning

The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?

Current site: res://ieframe.dll
Trusted site: https://
mydeviceurl

Thank you IE… but yes, that’s why I clicked the link (I know, we have to protect users from themselves sometimes… but the chances are that they won’t understand this second warning and will just click the yes button anyway). After clicking yes to acknowledge the warning (which was a conscious choice!) I could authenticate and access the website.

Two warnings every time I access a site is an inconvenience, so I viewed the certificate details and clicked the button to install the certificate (if the button is not visible, check the status bar to see that IE has recognised the site as from the Trusted Sites security zone). This will launch the Certificate Import Wizard but it’s not sufficient to select the defaults – the certificate must be placed in the Trusted Root Certification Authorities store, which will present another warning:

Security Warning

You are about to install a certificate from a certification authority (CA) claiming to represent:

mydeviceurl

Windows cannot validate that the certificate is actually from “certificateissuer“. You should confirm its origin by contacting “certificateissuer“. The following number will assist you in this process:

Thumbprint (sha1): thumbprint

Warning:

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click “Yes” you acknowledge this risk.

Do you want to install this certificate?

Yes please! After successfully importing the certificate and restarting my browser, I could go straight to the page I wanted with no warnings – just the expected authentication prompt.

Incidentally, although I used Internet Explorer (version 8 beta) to work through this, once the certificate is in the store, then all browsers any browser that uses the certificate store in Windows should act in the same manner (the certificate store is not browser-specific some browsers, e.g. Firefox, implement their own certificate store). To test this, I fired up Google Chrome and it was able to access the site I had just trusted with no issue but if I went to another, untrusted, address with a self-signed certfiicate (e.g. my wireless access point), Chrome told me that:

The site’s security certificate is not trusted!

You attempted to reach mydeviceurl but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

Chrome also has some excellent text at a link labelled “help me understand” which clearly explains the problem. Unfortunately, although Chrome exposes Windows certificate management (in the options, on the under the hood page, under security), it doesn’t allow addition a site to the trusted sites zone (which is an IE concept) – and that means the option to install the cerficate is not available in Chrome. In imagine it’s similar in Firefox or Opera (or Safari – although I’m not sure who would actually want to run Safari on Windows).

Before signing off, I’ll mention that problems may also occur if the certificate is signed with invalid details – for example the certificate on my wireless access point applies to another URL (www.netgear.com) and, as that’s not the address I use to access the device, that certificate will still be invalid. The only way around a problem like this is to install another, valid, certificate (self-signed or otherwise).

8 Comments

  • Tuesday 11 November 2008 - 14:50 | Permalink

    …once the certificate is in the store, then all browsers should act in the same manner (the certificate store is not browser-specific)

    Actually, Firefox has its own certificate store implementation.

  • Tuesday 11 November 2008 - 16:21 | Permalink


    Duncan is absolutely correct – I should have said that any browsers using Windows’ certificate store will act in the same manner – obviously that does not include Firefox or any other browser that implements this functionality internally.

    I’ve updated the original post.

  • Sancho
    Sunday 7 December 2008 - 23:19 | Permalink


    Thanks for the explanation. This has been driving me nuts with my ReadyNAS. Trusted Root Certification Authorities store was what I was missing (even though it was printed there in plain English! [blush]).

  • Pingback: Backup your Subversion repository offsite (Windows Guide) « Rohland de Charmoy

  • Martin B
    Thursday 18 March 2010 - 16:37 | Permalink


    Hi.
    Thanks for the info. The IE8 screen with “There is a problem with this site’s certificate” was driving me nuts! The Trusted root certification authorities store surely did the trick! :)
    Thanks.

    /M

  • Anthony
    Wednesday 29 June 2011 - 23:41 | Permalink


    “I’m not sure who would actually want to run Safari on Windows”

    The answer to that is pretty simple… It’s by far the simplest option for anyone developing for a cross-browser community.

    However, testing pages under SSL while using self-certification seems obscure with Safari for Windows. I have a certificate (generated with the IIS resource kit SelfSSL tool) that works perfectly with IE, Firefox, Chrome and Opera but Safari just doesn’t recognise it’s there… so maybe your comment is justified after all.

  • Wallker
    Tuesday 2 October 2012 - 18:28 | Permalink


    Hi everyone,

    I am user of Vista & IE9. Problems around storage and Trusted Root Certificates I know…

    I have other problem. I can not import self-signed certificate to storage (any: register or local computer, smart-card will not be test) and than change trust-level/status. The buttons (translated from non-english text) “Change features/purposes”, “Copy to file…” are not avalaible. I thing that some Update blocking this feature. Web path to certificate file, for manual adding via certification manager (certmgr.msc), is not known.

    Thank you for your tips to correct dis error (Isue you can put in backside of Micro&Soft).

    **
    I have for you some other trick. For untrusted site you need tell to browser that you really wont to that site/web. Now, we speak about Java Scripts action and resource res://ieframe.dll

    But I often want use IE9 without JS or SSL browsing via webs in “Dangerous Zone/Restricted Sites”. In this case you browser stops at local source (ieframe.dll), JS is disabled. But when you put “about:internet” address to the zone which enabling JS, for example “Trusted Sites”, then you may browse for all SSL secured webs and use security based to “Restricted Sites Zone Rules”.

  • Wallker
    Thursday 4 October 2012 - 13:14 | Permalink


    How to by-pass error with importing untrusted certificate, disabled butons “Change features/purposes”, “Copy to file…” in certificate preview called from IE9?

    Use some “enhanced” text editor, for example Word, Onenote,…
    Copy something (text, picture) from untrusted web and copy to new opened document.
    Security dialog appears. Dialog have included certificate preview too. In this case you are able copy certificate as… (export certificate). Then you use standard certification manager to import certificate as you need, sign it trusted certificated by yourself,…

    Error or newly re-feacured setting or component of IE9 I still search. When You know about it… Thank you.

  • Leave a Reply

    %d bloggers like this: