I'm using an SSL certificate from geotrust. I just ordered and installed it this weekend.
However when I try to access my website using https, firefox (and the other browsers as well) the browser warns that the certificate expired a few days ago.
I guess there could be two reasons:
I made a mistake during the installation of the certificate
Geotrust did not sign the certificate properly.
First I want to rule out the second reason considering my browser tells me the certificate expired a few days ago. This does not make sense at all.
Is there a way to extract the expiration date from the certificate?
Thanks!
Sure.... check the certificate in the browser. Click on the not valid warning / broken SSL symbol in the address bar, it should give you an option to view the certificate ;)
TomTom's answer is right on!
Just about any browser will let you see the details of the certificate. There's always a Valid From field and a Valid To field describing the cert's validity period.
Also - check the subject DN and issuer DN. The Subject DN describes your server, the Issuer DN describes the signer. The issuer should be GeoTrust - if the issuer is not GeoTrust, you are not configured correctly, you are likely to be using the cert that came with the web server.
Related
We have to update our SSL certificate for an other year with a new COMODORS certificate.
We've had a old certificate (GeoTrust) with *.domain.ch which is correct from the naming aspect but expired from the date.
Now we've falsely made one with *domain.ch without the first dot. This should be a wildchart certificate for our domain.ch.
Will this work or can this be the problem for server not starting after this SSL certificate update?
No it will not work. This certificate will match against wwwdomain.ch but not www.domain.ch. But, no public CA should issue such a certificate in the first place since you could this way impersonate foo-domain.ch etc, i.e. domains which don't belong to you.
If this certificate is in a pipeline to get issue then it won't get issued. If got issued erroneously then you have to re-issue the certificate from the vendor or the CA as the *domain.ch won't work.
can this be the problem for server not starting after this SSL certificate update?
Server won't start as there is a mismatch in the domain name
i installed the Ssl certificate on my server but i have this error
This server could not prove that it is spdns.ir; its security certificate is from vmi90749. This may be caused by a misconfiguration or an attacker intercepting your connection.
anyone can explain me what is the problem and how i should fix it ?
tnx
The error is quite self-descriptive. The certificate is issued to vmi90749 name, while you are trying to access a spdns.ir name. There is nothing common between them. You need to install a certificate that is issued to spdns.ir name and make sure it is issued by a trusted authority. Preferrably from a globally trusted CA vendor (there are CAs that issue certificates for free).
As aside note: when requesting new certificate for spdns.ir name, make sure that the name is added to Subject Alternative Names certificate extension. Google Chrome deprecated Subject field.
We have a local Exchange server that we are testing out. We also have a wildcard certificate and wanted to use that certificate for Exchange. We got the certificate installed correctly, but we get an error notice when Outlook connects to Exchange.
The error is:
"exchange.office.domain.com
...
The name on the security certificate is invalid or does not match the name of the site"
When I "View Certificate...", I see the correct certificate, issued to "*.domain.com"
I am not sure if the problem is that the * does not work for exchange.office, that is how we have the network setup however.
Does anyone know how we can get Exchange to work with the wildcard certificate (we do not want to buy another certificate for testing), or if the problem is the multi-host in the FQDN, how we can get around that?
Thanks for your thoughts.
I don't know if Exchange has their own rules, but for HTTPS a certificate for *.example.com does not match foo.subdomain.example.com. A wildcard is only valid for a single label and only for the leftmost label. See also https://security.stackexchange.com/questions/52478/why-does-firefox-not-trust-this-us-government-ssl-certificate/52479#52479
how we can get around that?
Your only options are to either change the hostname (or provide an alias) to match the certificate or to change the certificate to match the hostname.
Wildcard SSL Certificate can only secure first level domain name.
If you have purchased wildcard SSL certificate for 'domain.com', using wildcard you can secure '*.domain.com' sub-domains. (First Level)
If you have purchased wildcard SSL certificate for ".domain.com", using wildcard you can secure '..domain.com' sub-domains. (Second Level).
As you wants to secure "exchange.office.domain.com" , it is a second level domain name option. So to secure it you need to buy Wildcard SSL certificate for "office.domain.com".
I am putting a web test up for clients that visit "https://oursite.com/poodlesecurityfailed.js"
Question,
Do I need a valid certificate even though its on a test domain for certificate negotiation? If client can visit it, they failed the poodle test. (SSLv3 is enabled) on that host.
Ideas?
Do I need a valid certificate even though its on a test domain for certificate negotiation? If client can visit it, they failed the poodle test. (SSLv3 is enabled) on that host.
Depends on the client.
If the clients is has enough knowledge to understand, that "invalid certificate" when accessing the site means in reality that the client has still SSL 3.0 enabled, then a self-signed certificate would be enough.
If you instead want to provide an explanation of the problem at this site and don't expect the client to explicitly accept an invalid certificate just to see this explanation, then you should better use a properly trusted certificate.
In my nginx conf file, I have an ssl_certificate identified. According to OpenSSL, the end date of that certificate is in the future. When I access my site from a browser, it says that the certificate has expired.
It is possible I used the expired certificate previously, but I don't understand where the browser is getting it from now. Any suggestions where I should look?
The certificate has two fields - Valid From and Valid To. Check that both parameters are ok, i.e. Valid From is in the past and Valid To is in the future.
When you visit the site with the browser, it shows the lock icon either left to the URL in the address bar or in the status bar. Clicking on the lock icon will show you the certificate that the browser sees. Check that this certificate corresponds to the one you have in server config.