SSL Certificate Troubleshooting


After installing my SSL Certificate, some browsers report that my SSL Certificate was signed by an unknown or untrusted Certificate Authority.

For all of our clients running Microsoft Internet Information Services 6 or higher, you may find that after installing your new certificate via the supplied .p7b file, some browsers report that the SSL Certificate was signed by an unknown / untrusted Certificate Authority. This is due to a Self-Signed Certificate present in the Windows 2003/2008 Certificate Store, and should be removed.

This is due to a known issue with IIS 6/7. To correct this, the following procedure has been provided.

Open the Certificate Store for the Local Computer:

1. From the Desktop of your IIS Server, click "Start", then "Run", type 'mmc' (without the quotes), and then click "OK".

2. On the "File" menu, click "Add/Remove Snap-in" (See image below). A dialog box titled "Add/Remove Snap-in" will appear. Click the "Add" button. This will cause a window titled "Add Standalone Snap-in" to appear.

3. On the window titled "Add Standalone Snap-in", under "Snap-in", click "Certificates", then click the "Add" button at the bottom of the window.

4. A window titled "Certificates snap-in" will open (see image below), asking you to choose which certificates to manage. Click the radio button next to "Computer account" (the lower of the three options), and then click "Next". This will open a new window titled "Select Computer".

5. In the "Select Computer" window, click the radio button for "Local Computer" and then click "Finish". You will return to the "Add Standalone Snap-in" window.

6. Now to finish up the selections. On the "Add Standalone Snap-in" window, click the "Close" button. The "Add/Remove Snap-in" window should now have the "Certificates (Local Computer)" snap-in added to it. Click the "OK" button at the bottom of the window.

Remove the SecureTrustCA certificate:

1. In the left-hand pane, click on "Certificates (Local Computer)", then click on "Trusted Root Certification Authorities", and finally then click on "Certificates".

2. On the right-hand pane, scroll down till you see a Certificate that has been Issued To: and Issued By: "SecureTrust CA". This is the Self-Signed SSL Certificate that is susceptible to a known issue with IIS 6/7. There should be only one certificate.

3. Delete the certificate. You should receive a warning dialog box that states "This is a root certificate. Deleting this certificate will invalidate this CA. Are you certain you want to delete this certificate?".

4. Click yes.

Now restart the website via the IIS Manager.

My browser says "The security certificate was issued by a company you have not chosen to trust" or it says that it can't trust the Certificate Authority.

This means that your certificate is either expired or not yet valid when the dates on the certificate are compared to your local computer's clock. There's two main reasons this error may appear: Your certificate may actually be expired. If you log into the Trustwave® Control Center, your certificate's expiration date will appear there. If the expiration date has passed, don't worry - you can renew an SSL certificate quite easily. You can renew it via the Trustwave® Control Center, or you can call us and we can take care of it over the phone instantly.

If the expiration date hasn't passed, double check your computer's clock. The clock might be set too far into the future. Synchronize your clock with a reliable time source, close your browser, and try accessing your site securely again.

My browser says "The security certificate has expired or is not yet valid" or it displays some other type of error about validity and expiration dates.

This means that your certificate is either expired or not yet valid when the dates on the certificate are compared to your local computer's clock. There's two main reasons this error may appear: Your certificate may actually be expired. If you log into the Trustwave® Control Center, your certificate's expiration date will appear there. If the expiration date has passed, don't worry - you can renew your certificate quite easily. You can renew it via the Trustwave® Control Center, or you can call us and we can take care of it over the phone instantly.

If the expiration date hasn't passed, double check your computer's clock. The clock might be set too far into the future. Synchronize your clock with a reliable time source, close your browser, and try accessing your site securely again.

My browser says "The name on the security certificate does not match the name of the site" or it displays an error about some type of name not matching.

This error means that the web address on the certificate itself doesn't match the address in the address bar of your browser.

For example, if you install a certificate on your site for www.domain.com and you access your site as https://domain.com, your browser cannot match the names. Unfortunately, www.domain.com is not the same as domain.com. Please remember this in your check-out scripts.

This can also occur if the IP addresses on the server aren't properly configured. You could be accessing someone else's SSL certificate on your server when you attempt to access your site. Check with your web hosting provider if you think this might be the case.

My Internet Explorer says "This page contains both secure and non-secure items" and Firefox shows a padlock with a cross through it.

This error means that you have items with absolute paths to an insecure source on your secure pages. For example, if you have an image tag on a secure page that looks like this, you will receive an error:

<img src="http://www.domain.com/images/image.jpg">

Instead, use a relative link so that your images can be accessed insecurely or securely, depending on where the customer is on your site:

<img src="/images/image.jpg">

Another possible cause would be a third-party's script over an insecure source. An example of this would be:

<script src="http://www.not_your_domain.com/script.js" type="text/javascript">

Most often, a provider of such scripting services will also provide a secure means of accessing them. For example:

<script src="https://ssl.not_your_domain.com/script.js" type="text/javascript">

I installed my certificate on a non-Microsoft server and Firefox works fine. However, Internet Explorer either says "Page Cannot Be Displayed" or it says the certificate is signed by an authority I haven't chosen to trust.

This error normally occurs because of your server's SSL modules. Some versions of mod_ssl only support SSL connections up to 168-bits, which Internet Explorer is unable to negotiate. Firefox has the ability to accept the encryption at this level. If you are able to upgrade your SSL components, this is the best method.

Otherwise, your only option in this case is to force your server to use RC4-MD5 128-bit encryption as the highest level. To force your server to use this encryption level as its highest, add or change these configuration lines in your server's configuration file.

#SSLProtocol all -SSLv3
SSLCipherSuite !ADH:RC4+RSA:+MEDIUM:+LOW:+SSLv2:+EXP:-SHA

By commenting out the SSLProtocol line, you allow the SSLCipherSuite line to specify the allowed encryption parameters. The SSLCipherSuite configuration line will allow for any encryption level up to and including RC4-MD5 128-bit encryption. Be sure to add/adjust these lines in each virtual host configuration (if you do not specify them globally). Save your configuration file and restart your server when you are finished.



Certificate Analyzer

Once you have completed your certificate installation you can use our instant online troubleshooter to verify your installation and help resolve problems.
Certificate Analyzer→

Go Green