What causes the security alert when using https and Internet Explorer?

  • 3028260
  • 23-Jul-2007
  • 26-Apr-2012

Environment

Novell NetWare 6.0

Situation

Error: "The security certificate was issued by a company you have chosen not to trust. View the certificate to determine whether you want to trust the certifying authority."
Error: "The name of the security certificate is invalid or does not match the name of the site."
What causes the security alert when using https and Internet Explorer?

Resolution

For purposes of explanation, this document will be spit into two different sections. Section A and Section B.

Section A

(1) In Section A we will import the certificate into the trusted root. IE is being used in this example because it is the hardest to import. In order to do this we will first need to click on VIEW CERTIFICATE.

(2) After clicking on VIEW CERTIFICATE do NOT click on INSTALL CERTIFICATE. This option will not import the certificate properly. You will first need to select the CERTIFICATE PATH tab.

(3) Once on the CERTIFICATE PATH tab, highlight the ORGANIZATIONAL CA and then click on VIEW CERTIFICATE.

(4) Now select the INSTALL CERTIFICATE button.

(5) You are now presented with Microsofts Import Wizard. Click NEXT to continue.

(6) Choose the option to PLACE ALL CERTIFICATE IN THE FOLLOWING STORE. Then select the BROWSE button.

(7) Within the browse option, select the TRUSTED ROOT CERTIFICATION AUTHORITIES. Click OK.

(8) Your screen should be the same as the picture below. Click NEXT to continue.

(9) Click FINISH to complete the wizard.

(10) You will be prompted to add the certificate to the Root Store. Your screen my be different than the graphic shown below. In the graphic below the serial number and thrumbprints have been blotted out for this public document. Click YES to continue.

(11) Last you will get the notification the import was successful. Click OK. Your certificate should now be trusted on that browser.

Section B

** NOTE ** Section B discusses the error you receive when the CN(common name) of the certificate does not match the DNS name being put into the URL. For example: Lets say that you put in an IP address of 192.168.0.2 and that your certificate was setup to usewww.mycompany.com. You would receive an error because the two names do not match. This could also happen if you are using a shorter version of the CN. For example if you tried going to mycompany.com instead of www.mycompany.com, you would also receive the error because the names are not equal.In the next couple of steps we will show you how to create a certificate with a CN that will match what you are putting in the URL.

(1) Launch ConsoleOne and go to the container were the server resides. Right click and go to NEW | OBJECT. Select NDSPKI: KeyMaterial from the list and then click OK.

(2) Choose the server from the drop down list under the SERVER section and put in the name you want for the certificate inside the CERTIFICATE NAME section. This is not the CN discussed above, this is just how the certificate will appear in eDirectory. Choose CUSTOM from the CREATION METHOD section. Click NEXT to continue.

(3) Leave the default of ORGANIZATIONAL CERTIFICATE AUTHORITY and click NEXT to continue.

(4) Here you can choose the KEY SIZE, TYPE, and KEY USAGE. For this example the defaults will be kept. Click NEXT to continue.

(5) Please note that the SUBJECT NAME section lists the CN as the Server Name and not the DNS name. Click on the EDIT button.

(6) Edit the CN to be the desired information. In this example it has been changed to www.mycompany.com. Click OK and then NEXT to continue.

(7) Keep the option of YOUR ORGANIZATION'S CERTIFICATE and click NEXT to continue.

(8) You are now presented with all of the parameters that will be put into the certificate. Click FINISH.

(9) You should now see your certificate in the list with the other default certificates. Now all you need to do is to configure the application or service to use that certificate and then restart that application or service.

NOTE: Many web management utilities (Portal, NetWare Remote Manager, NDS iMonitor) use HTTPSTK.NLM. You would need to edit your AUTOEXEC.NCF file and locate your HTTPSTK load line and change the keyfile: to point to the newly created certificate. With NetWare 6 and greater, after you unload HTTPSTK, you will need to first enter HTTPSTK /RESET before reloading HTTPSTK with the new keyfile..

Additional Information

(1) The first error is caused by the certificate not being installed on the browser.
(2) The second error is caused when the information place in the URL field of the browser does not match the CN in the certificate.

Formerly known as TID# 10081133
10081133
NOVL87806