Unable to trust self signed certificate - Bad server certificate shown in Issued by

Issue

When attempting to trust a self signed certificate, the option to permanently trust the certificate is not enabled.

When viewing the certificate, you see the message "Bad server certificate" in the field "Issued by"

 

Refer to WebHelp article 10326 for further information about certificate types

Product Line

SmartStruxure Solution

Environment

Certificates

Cause

There can be various reasons why a certificate can not be trusted, and many or these are described in article #17198.

In this specific case where you see the message "Bad server certificate", the cause is that the certificate is not deemed trustworthy.

First of all, you need to check what the reason behind the certificate being flagged as bad is. This is easiest done by examining the "CRL Distribution Points" property of the certificate, to determine which service is checking or affecting the certificate.

In this example, we can see that it is ZScaler (a proxy server provider) is listed, so the reason why the certificate is deemed as bad, is most likely because the certificate is self signed, and that is not accepted by the company policy.

 

If disabling the usage of a proxy server on the PC you are working on allows you to trust the certificate, you can confirm that it is an issue with the proxy server not allowing the self signed certificate.

 

For more information about how e.g. ZScaler handles certificates, refer to the How does ZScaler protect SSL traffic article

Resolution

Either reconfigure the proxy to allow the self signed certificate, or (the better option) get a proper CA signed certificate.

For more information about preparing and importing a CA signed certificate, refer to article #18047.