When accessing a page using HTTPS, the browser may show this error(appearance may vary in different browsers):
If select "Continue...", the page may be eventually displayed with a red cross error:
How to resolve this error?Environment:
The client's web browser does not consider the certificate provided by the server to be trusted.
Before moving on to the Resolution, we need to define what "remotely
" and "locally
- "Locally" means the device runs browser. For example, when opening a browser to view wikipedia.org, the device is running its browser locally.
- In this article, we limit all local devices to Windows PCs.
- "Remotely" means computer runs service. For example, when opening a browser to view wikipedia.org, from browser's point of view, Wikipedia's servers are considered running their services remotely.
Let's look at a certificate without error first.
Above screenshots show 3 key preconditions. See Resolution on how to resolve them.
- The Certificate Authority(CA) is issued by must exist locally. This can be confirmed by using MMC:
- IMPORTANT: MMC must be opened locally.
- URL in browser must match the one certificate is issued to.
- In the example above, URL in browser "www.wikipedia.org" matches "Issued to" URL in certificate "*.wikipedia.org".
- This needs to be checked locally.
- Certificate status must show "The certificate is OK".
- This needs to be check both locally and remotely.
Failing to fulfill ANY of the above 3 preconditions will result in the Certificate Error.
Here are how to fix each of the preconditions mentioned under the Cause section.
- If CA certificate does not exist locally, please manually import the CA certificate (for self-signed certificates), or use a commercial certificate (needs to be purchased). When using the self-sign certificate that comes with the product installation, install the certificate and store in the Certificates (Local Computer) > Trusted Root Certification Authorities store. (see above screenshot). This can be performed by clicking within the IE browser's address bar section that says "Certificate error" > View certificate > "Install certificate", or by manually exporting the certificate from the server and installing locally on the client's PC. The same self-sign certificate can be exported from the server itself and pushed to client computers in the same domain by Group Policy. See Distribute Certificates to Client Computers by Using Group Policy
- If URL does not match certificate, change the URL in browser.
- If certificate status is not OK, contact website administrator to fix this problem before binding the certificate to website.