Trusting a self-signed certificate in Windows
All good SSL certificates should come from a well-known certification authority – right? Not necessarily (as Alun Jones explains in defence of the self-signed certificate).
I have a number of devices at home that I access over HTTPS and for which the certificates are not signed by Verisign, Thawte, or any of the other common providers. And, whilst I could get a free or inexpensive certificate for these devices, why bother when only I need to access them – and I do trust the self-signed cert!
A case in point is the administration page for my NetGear ReadyNAS – this post describes how I got around it with Internet Explorer (IE) but the principle is the same for any self-signed certificate.
First of all, I added the address to my trusted sites list. As the ReadyNAS FAQ describes, this is necessary on Windows Vista in order to present the option to install the certificate and the same applies on my Windows Server 2008 system. Adding the site to the trusted sites list won’t stop IE from blocking navigation though, telling me that:
There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificates problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Fair enough – but I do trust this site, so I clicked the link to continue to the website regardless of Microsoft’s warning. So, IE gave me another security warning:
The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?
Current site: res://ieframe.dll
Trusted site: https://mydeviceurl
Thank you IE… but yes, that’s why I clicked the link (I know, we have to protect users from themselves sometimes… but the chances are that they won’t understand this second warning and will just click the yes button anyway). After clicking yes to acknowledge the warning (which was a conscious choice!) I could authenticate and access the website.
Two warnings every time I access a site is an inconvenience, so I viewed the certificate details and clicked the button to install the certificate (if the button is not visible, check the status bar to see that IE has recognised the site as from the Trusted Sites security zone). This will launch the Certificate Import Wizard but it’s not sufficient to select the defaults – the certificate must be placed in the Trusted Root Certification Authorities store, which will present another warning:
You are about to install a certificate from a certification authority (CA) claiming to represent:
Windows cannot validate that the certificate is actually from “certificateissuer“. You should confirm its origin by contacting “certificateissuer“. The following number will assist you in this process:
Thumbprint (sha1): thumbprint
If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click “Yes” you acknowledge this risk.
Do you want to install this certificate?
Yes please! After successfully importing the certificate and restarting my browser, I could go straight to the page I wanted with no warnings – just the expected authentication prompt.
Incidentally, although I used Internet Explorer (version 8 beta) to work through this, once the certificate is in the store, then
all browsers any browser that uses the certificate store in Windows should act in the same manner ( the certificate store is not browser-specific some browsers, e.g. Firefox, implement their own certificate store). To test this, I fired up Google Chrome and it was able to access the site I had just trusted with no issue but if I went to another, untrusted, address with a self-signed certfiicate (e.g. my wireless access point), Chrome told me that:
The site’s security certificate is not trusted!
You attempted to reach mydeviceurl but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.
Chrome also has some excellent text at a link labelled “help me understand” which clearly explains the problem. Unfortunately, although Chrome exposes Windows certificate management (in the options, on the under the hood page, under security), it doesn’t allow addition a site to the trusted sites zone (which is an IE concept) – and that means the option to install the cerficate is not available in Chrome. In imagine it’s similar in Firefox or Opera (or Safari – although I’m not sure who would actually want to run Safari on Windows).
Before signing off, I’ll mention that problems may also occur if the certificate is signed with invalid details – for example the certificate on my wireless access point applies to another URL (www.netgear.com) and, as that’s not the address I use to access the device, that certificate will still be invalid. The only way around a problem like this is to install another, valid, certificate (self-signed or otherwise).