"This connection is untrusted" - Certificate Problem
Using Webinspect 9.20
Attempting to record a login marco for an internal site using an SSL certificate signed by our internal CA.
"domainIamscanning.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown."
If I click "add an exception" and check "permanently store this exceptioin" it doesn't stick.
I have also installed our Root and Intermediate certificates into the respective Windows Certificate Store and restarted WebInspect. It still refuses to trust the cert.
Update: I've also tried adding the root and intermediate certificates by launched the browser in the HP hive. It doesn't seem to carry over while in WebInspect...which seems odd.
WebInspect does not use the IE browser, but its own internal-yet-equivalent one, and this includes the acceptance of certificates. In actual use, the scanner simply accepts all certs and moves on, as its aim is to scan and not be a safe browser.
The complication here may be in the Macro Recorder and the replay of your Macro. I would record the macro, but then mark any certificate acceptance sessions as "Optional". With this edit, those sessions can either be present or not during the actual replay of the Macro during the live scan, and it will not affect the replay.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
we're having similar issue on our customers..
SSL cert error blocking us from replaying the macro properly.
how to: mark any certificate acceptance sessions as "Optional"
where or how to do this step? would you please provide more detail?
First, the workaround mentioned by @HansEnders is in response to an older version of the product over 5 years ago. To answer the question, you can click on the step where the certificate was accepted and there is an option to make that step optional. Making the step optional will not cause the macro to hang or fail if the step is not needed.
Second, what version of WebInspect are you running? The reason for my question is, the latest version of the Login Macro Recorder will generally ignore SSL errors and accept the certificate.
An example of this would be browsing to the https://www.badssl.com website within the Login Macro Recorder (Event). As you will see when clicking on any of the bad certificate situations, we should allow that cert - https://www.screencast.com/t/0Q4uCqz9.
Third, as mentioned in the video, we use our own root certificate. Make sure our root certificate is properly installed.
If you continue to experience a problem, please open a ticket with support for further investigation.
thanks, i have opened the support ticket..
i have feeling this is the WebInspect internal "safe browser" mechanism, so its immediately blocked the macro from moving forward due to invalid SSL cert on the website its going to scan..
is this true? if yes, i will inform the client that they should repair the SSL cert first on their website before we can proceed.
(there's no issue with the scanning, for websites with valid SSL cert)
Apologies if something is technically incorrect. This forum software is driving me nuts. It says I had invalid HTML and modified my post, but didn't tell me what it modified. 😟
I'm not using Webinspect, but I'm guessing it's a Java app like the other Fortify tools? If so, putting root and intermediate certs in the Windows certificate store will do nothing for you. You need to put them where the JDK can find them. You need to add them to cacerts:
Use the Java keytool, which is in the java\bin directory on a command line.
The commands would be something like this:
keytool -import -alias myroot -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file "C:\certs\root.cer"
keytool -import -alias myintermediate -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file "C:\certs\intermediate.cer"
Then you can run the following to have it dump the trusted certs. You should see your certs in the list:
keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts"
@Michael-V you are correct about the challenges of the forum software. I've heard we are moving to another solution.
Regarding WebInspect, it is not like the other Fortify tools in that it is a .NET application. We rely on Windows certificate store.
@Indra I saw your ticket in the queue yesterday and we have a tech looking into it. If there is a problem with the SSL cert then it should be fixed; however, it should not prohibit us from scanning the site and this is what we need to look into.
You can try the following:
1. Make sure the TruClient Browser (FireFox 59) is not running
2. Open Windows Explorer and browse to the following to location Program Files\Fortify\Fortify WebInspect\dat59\ASCMasterProfile\
3. Open the user.js file in a text editor and add the following:
//*****************************DISABLE FIREFOX SECURITY WARNING*******************************
4. Save the file then start your scan and create your Login Macro.