Why do I keep getting certificate errors in my browser?

The site's security certificate is not trusted!

Have you ever seen this error:

The site's security certificate is not trusted!

You attempted to reach https://www.site.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system.  This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.
You should not proceed, especially if you have never seen this warning before for this site.

This abstruse error means that Windows has not been configured to trust certificates from the website you’re trying to access.

This can happen when you start using a new computer because the OS doesn’t have the root certificates from any (or some) trusted authorities; therefore, it fails to automatically accept those certificates.

I’ll explain what all this means in a moment but the bottom line is that if you’re missing certain trusted certificate authorities your web browsers will be in a petulant mood until you make the adjustments.

Check the date

Sometimes you can fix the issue by verifying your system date is accurate.  For example, if you glance at the date and notice your clock is set to January 1st 2000 then that could be the issue.

Why does this happen?  My best conjecture is that you have a dead (or dieing) CMOS battery that needs to be replaced.  If the CMOS battery dies then low-level functions like maintaining the system clock will start to suffer.

Instructions for replacing the battery are contingent on your manufacturer; however, here’s a pretty good 3 minute Youtube video that illustrates the process on a Dell desktop.  The video is fairly old, (3 years); however, the concepts still apply.  I just wanted to show you the video so you can get comfortable with the CMOS replacement process.

It’s pretty easy but if you’ve never opened your computer then the notion of replacing a battery on the motherboard will feel foreign.  Just shoot me a tweet and I’ll try to help.

Reset the Browser

In other cases, resetting the browser to its default configuration fixes the problem.

The reset instructions depend on your browser so here’s a list of instructions for the top three:

This usually resolves the certificate issue – if it remains you probably need to update your Windows root certificates.

Download the Root Certificates

You can update your root certificates by downloading the list from Microsoft.

The Microsoft Update Catalog

This only works in Internet Explorer (go figure) so once you fire it up, download and install the Microsoft Update Catalog and search for

root certificate update

Grab the latest update package and you should be good to go.

Windows 8.1 Root Certificates

You should be all set now but I still feel like I need to explain the rudimentary concepts behind digital certificates.

I don’t want to throw a fix at you without explaining what you’re fixing and why it works.

Getting your mind around certificates

Let’s start with something we already know..

Think about a certificate you earned from completing college or a rigorous program in your career like a professional computer certification.

If you take a moment to peruse the certificate you’ll notice a few things.  Depending on the purpose, certificates obviously vary; however, most share a few characteristics:

  • The name of the person or organization who issued the cert
  • Who the certificate was issued to
  • How long is it valid?  When does it expire?
  • A wax seal that proves the certificate is authentic

Computers use little files, known as digital certificates, that have the digital equivalents of the above fields.

There are also two additional elements that normal certificates don’t have:

  • Public Key
  • Digital Signature

Let’s talk about Public Keys first then I’ll explain Digital Sigs.

Public key anyone?

The Public Key is critical because it lets you scramble data in such a way that it can only be deciphered by someone with a secret file known as a private key.

Anyone can see the public key and anyone can easily create their own public-private key pairs so… initially this may seem like specious solution.  But it’s not:

The entire public key cryptography thing depends on the fact that it is currently computationally impossible to ascertain the private key from its corresponding public key.

Think of it like this: what’s the busiest street you know of?

Now imagine a postal service building on the corner with a mailslot in the wall.  Thousands of people walk by the mailslot every day so it’s public and highly visible.

The mailslot is the public key: anyone can find it.

But only the person with the mailbox key (the post-office worker) can open the mailbox and collect the messages people slip in.  That’s because the post-office worker owns a private key that only it has access to.

My point is that it’s impossible to get that private key from simply knowing where the mailslot is located (the public key).

The private and public keys are mathematically related in such a way that you can’t derive the former from the later.

Now, the difficulty in cracking public key cryptography is based on that fact that its currently a herculean task for a computer to factor large prime numbers.

You may remember from high-school that a prime number is a number with exactly two factors (numbers that can divide into it evenly):

  • The number itself
  • The number one

So the number 5 is prime because it has exactly two divisors:

5 and 1

When you take two primes which are:

  • Very large
  • Completely random and
  • Almost the same size

You make it extremely hard for a computer to efficiently find the answer.  Math geeks call such numbers composite integers and it’s the heart of what makes cryptography work.

In addition, since there are an infinite number of primes there are an infinite number of possible keys which makes this a very strong security mechanism.

Digital Sigs

The Digital Signature is like the wax seal on your college certificate because it proves that the certificate came from the claimed source.  It also has a mathematically generated number known as a checksum that automatically detects if the certificate was modified.  If the checksum doesn’t add up the certificate becomes invalid and in our case, the web browser will reject it with an annoying error message.

But this is actually a good thing: you want your browser to alert you about stuff like this.

I mean, what if some random guy created a certificate, self-signed it, uploaded it to espm.com (not the m instead of an n) and designed it in such a way that it his malicious site looks identical to espn.com.

Now anyone who makes a typo and logs in unwittingly sends his or her sign-on credentials to this losers dropbox account all because the stupid browser didn’t realize the digital signature was fraudulent.

Fortunately all modern browsers will alert you if the digital signature doesn’t check out so don’t worry to much – I’m just pointing out that what sometimes may seem like a nettlesome error can sometimes denote that your browser is actually protecting you from harm.

Putting it all together

An example helps:

Let’s say twitter decides it wants to allow users to securely connect to its servers.  In other words, Twitter wants stuff like usernames and passwords to get encrypted at sign-on so that even if a hacker breached your home network and attempted to sniff the network for passwords all he would see is an incomprehensible mess of text.

So Twitter goes to a trusted certificate authority such as Verisign and says:

Hey Verisign, issue me a crypographically signed cert from Verisign so when anyone visits twitter.com it automatically encrypts their credentials.

Verisign says:

Alright, I have a few questions for you Mr Twitter:

  • Who registered your domain name, twitter.com?
  • What web server are you running?
  • What does your company actually do?
  • Where is your business physically located?

In other words, Verisign bombards twitter.com with a fusillade of questions before it issues the cert because it needs to have reasonable assurance that Twitter.com is who it claims it is.

If Twitter.com passes the exacting criteria of the trusted certificate authority, in this case Verisign, then the authority creates the cert and issues it to Twitter.

The anatomy of the cert

The cert has a bunch of data fields but the main ones you should know about are these five:

  1. Issuer
  2. Validity (valid from that date to this date)
  3. Company details
  4. Public Key
  5. Signature

When you go to twitter.com your computer downloads the certificate and analyzes these data fields.

If the name on the certificate matches the name of the domain name, twitter.com, then the browser accepts the cert and all is well.

The neat thing about certificates is that even if some loser hacker stole the twitter.com certificate (and you accidentally downloaded it when you went to his malicious site: badsite.com) your browser would still reject it because it would immediately recognize the certificate name and domain name aren’t equal.

Moreover, even if the owner of badsite.com tried to fool your computer by manually changing the data field in the certificate from twitter.com to badsite.com, your browser would still reject it because the checksum for the digital signature wouldn’t match the data contained inside the certificate.

This is why digital certificates are used to verify identity – they virtually guarantee the integrity of the certificate and make it hard for the owner to repudiate ownership.

The Bottom Line

The bottom line is that if you start getting certificate errors you should try three things:

  • Check the system date
  • Reset your browser settings
  • Update your Root Certificates

If you think about a digital certificate like a normal certificate it’ll start to make sense.  The only substantive difference is that the former has a Public Key and a Digital Signature.

The Public Key provides security via encryption and the Digital Certificate validates the identity of the issuer and provides assurance that the cert wasn’t modified in transit.

Digital Certificates and Signatures are convoluted subjects and to be honest I’m not even sure I said anything coherent here but I wanted to get you a gentle introduction so you can have fodder for your next cocktail party.

Hahaha I don’t know why I keep bringing up cocktail parties.  Forget that, don’t talk about this at your next company event.

About

Connect with Vonnie on Twitter

Posted in Security, Web Browsers, Windows Tagged with:
  • Pingback: The Complete Guide to UEFI | fixedByVonnie()

  • Emily Dicson

    Je ai utilisé tous les OS, à côté de Microsoft fournit de nombreux systèmes d’exploitation, mais Windows 7 est parfait pour OS jeux HD avec son toutes les versions aiment; Starter, Familiale Premium, Professionnel et Ultimate, qui aa été utilisé à la fois pour la maison ainsi que des fins commerciales.
    Je suggère à tous les amis ne utilisent qu’une version complète de ne importe quel OS pour éviter la perte de vos fichiers de sauvegarde et un temps précieux. La dernière fois, je ai été besoin d’une licence pour Windows 8.1 Pro, qui installé au PC de mon cousin, donc un de mes amis me recommande de l’acheter à partir de: ODosta Store
    Donc, je l’ai acheté, l’activation en ligne et maintenant son fonctionne bien.

    • Bob

      Oh!!!!! It all makes sense now(!)

  • Mark

    Great explanation, thanks.

    Have bookmarked this site 🙂

  • Vasco Fernandes

    When i search root certificate updates it only shows the ones from Windows 2000… Yet my Windows is 8.1. Please help me with this … I can’t use my computer browsers…