Discussion on:

The strange case of the Google certificate roadblock

Have you come across certificate authentication problems? How did you resolve them?

I think i'll check on that - every so often, Opera refuses to access GMail, saying "A secure connection could not be established" (or words to that close effect) ... and then it starts working again.

Probably not the cause, but...

The organisation I do volunteer work at two days a week has recently upgraded from Win XP to Win 7 Enterprise (it's a big international organisation) and we've gone from MSIE 8 to whatever is the latest (I keep forgetting to check) but still have one Win XP system in use. All the systems have both MSIE and Firefox installed so the public who come in to use them can use whatever they're familiar with. We've NEVER had a security certificates issue using MSIE 7 or MSIE 8 or Firefox on the Win XP systems. But that's all changed with the new systems.

Most of what we deal with is Family History research and there are a number of major FH sites we visit. There is one site we visit a heck of a lot and now when we go there using the Win 7 system we get a warning from Microsoft that the website is untrusted and does not have current security certificate - to the best of my knowledge it never has had a security certificate, but it does use https and our systems automatically log us in under our organisation membership account - the site concerned is very trustworthy. We always just click the go to the site anyway button. The thing is this behaviour only happens when using MSIE on the Win 7 systems, it does NOT happen using Firefox on those systems nor when using MSIE 8 on the Win XP system.

The problem is clearly something within the MSIE version in Win 7, as I suspect if it had been within the OS it would also affect the FF access. What does worry me is the majority of our general public users are not that IT literate and the only way we can deal with this issue is to just tell them where to click and to ignore the message here. But that does worry me that we're teaching them poor Internet use skills and that they may do that on some other site that should not be trusted at our office or at their home. I would welcome any advice on how I can resolve this in a more permanent manner as the problem also affects many other branches of the volunteer organisation across Australia.

Hi Ernest, sorry for the delay in replying to your query; I was away until recently. Is there an option in MSIE to permanently install the certificate to suppress further prompts? If so this may solve the issue. Alternately, if your organization uses Group Policy there is a method you can use to configure the Windows-based clients to accept this certificate.

The systems are imaged at the organisation's headquarters and locked down re security etc. They even have a regular weekly remote audit check of what's on the systems and push out any updates. If you do manage to get in and change something the very next major check and update will reset all the setting back to the HQ wanted setting. Thus I can NOT change any system settings and make them stick, but I can change settings within the browser options and make them stick. But I can't find an option that affects the certificates, yet.

However, the issue appears to be a problem with the MSIE browser as it's happening only with the systems with MSIE 9 on them. It doesn't affect systems with MSIE 8. It would appear that any time you go to a site and have https in the URL MSIE 9 wants to see a current security certificate, even when there is no other code on the site about certificates.

The whole things just strikes me as a great big unneeded waste of time and trouble created by someone at Microsoft because they don't trust the clients to do anything.

I hear you - I find IE9 very frustrating to use, myself. It has a tendency to bug the user about everything; certain security prompts will nag users until they finally get shut off; this then leads to another series of prompts which causes people to just throw up their hands in frustration. Personally I'd like to see adaptive browsers (and operating systems) at some point which are intuitive, can learn from user behavior, and can be better tailored according to the expertise of the person using them.

Do you mind posting the URL you're having trouble with? I may be able to test it and find a solution after some trial and error.

the LDS Family History data site at

https://familysearch.org/

the real funny thing about this is I know it's not the site or the server itself as I've no issues when accessing via Firefox, but when I do have the problem its when I'm at the Family History centre and using their computers to hit the site from a computer on a LAN that's connected via VPN to the same WAN that the website is part of.

... that's a wildcard certificate, so I wonder if that has something to do with it.

A few ideas:

-Make sure familysearch.org is a trusted site in IE 9?

-View the certificate for the site in IE 9 and see if it reports any errors? (there shouldn't be but this may provide a clue)

-The certificate was issued by "Comodo High-Assurance Secure Server CA." Click the Certificate Path in the Certificate window, then select the "Comodo High-Assurance Secure Server CA" object and click View Certificate to look for any errors?

-The certificate to Comodo was issued by "Add Trust External CA Root." In IE9, go to Internet Options-Content-Certificates and make sure this appears in the "Trusted Root Certification Authorities" tab with an expiration date of 5/30/20.

-Also, you have the Windows update that I outlined in my article installed, right?

All you need to do is go to Tools:Internet options:Advanced and uncheck the box that says "Check for publishers certificate revocation" and "check for server certificate revocation" an click "apply".