cancel
Showing results for 
Search instead for 
Did you mean: 

HTTPS CERTIFICATE CONFIG

Highlighted
Occasional Contributor

HTTPS CERTIFICATE CONFIG

I have a SA4500 which I am attempting to secure the http:// connection. 

 

My vpn public connection looks like this once accessed from the public ip address.

 

http error.JPG

 

A device CSR was genrated, sent to a reputable certificate issuer and was returned. This certificate was uploaded to the SA4500.  A trusted client certificate was also uploaded successfully. Trusted server CA's were also added. 

 

The device certificate was added to the external port and config saved successfully.

 

csr.JPG

 

All of this done, I am still getting an "unsecured" connection to my public IP address.

 

Any insight on what I may be doing incorrectly ?

 

Thanks in advance for any and all comments.

2 REPLIES 2
Highlighted
Super Contributor

Re: HTTPS CERTIFICATE CONFIG

The certificate should be applied to the port that your DNS entry resolves to.  If you are using the external port or creating a vip for the sign-in page this is there the certificate should be applied.

 

Check your browser error message for the cert.  There are three reasons it can fail and you need to know which one is the issue.  Depending on which one fails there will be different steps.  You can also confirm by this that you are indeed seeing the correct certificate you purchased so that you know it is installed correctly on the SA4500.

 

  1. URL name must match the name in the certificate
  2. The client computer running the web browser must trust the CA that issued the certificate
  3. The date on the certificate cannot be in the past based on the client computer clock running the browser
Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
Highlighted
Respected Contributor

Re: HTTPS CERTIFICATE CONFIG

Connecting by IP will _always_ give you an untrusted error as that is not a valid entry in the certificate. If you were somehow able to get the certificate issued to your IP address then this would be a problem; but because your IP will, most likely, never match your CN/DN/SN/hostname of your certificate, that is correct behavior.
Is the correct name/certificate being presented?