ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

"CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store" after SSL Configuration

book

Article ID: 227578

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

Configured SSL on Dev service desk application server . when we are opening URL we are getting below warning :-

"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

Please suggest here.

Cause

This message usually presents when you are using an SSL certificate that has NOT been issued by a known Root CA.  All SSL certificates need to be signed or authorised by a Root CA, or Certificate Authority.  Think of the Root CA certificate as the certificate which will "vouch" for the authenticity of your main SSL certificate.  

Most web browsers have a list of Root CA certificates that it will accept.  Example:  In Chrome, to view its Root CA listing:

1.  Under "Privacy and Security," click "Manage Certificates."
2.  On the popup that was launched, select "Trusted Root Certification Authorities'. The certificate will be displayed there.

What can happen in the scenario you are experiencing is usually caused by one of the following:

1.  Your SSL certificate was signed/authorised by a Root CA that your browser does not recognise

2.  Your SSL certificate is a self-signed certificate, which is mainly used in testing and not recommended in production environments.

Environment

Release : 17.1

Component : SDM - Classic UI

Resolution

You will need to review how your SSL certificate was created, if it was signed by a known Root CA or is self-signed.  You can view the SSL certificate's Root CA by running the following command:

keytool.exe -printcert -v -file test-SSL.cer

In the above, keytool.exe is a binary application that comes with most JRE implementations and test-SSL.cer is your SSL certificate.

The output will contain something like this which will help determine your certificate content:

Owner: CN=GTS CA 1O1, O=Google Trust Services, C=US
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

If your certificate is self-signed (does not have a valid Root CA or names its own server as the certificate authority), there is nothing that can be done as most browsers will by default block or warn against self-signed certificates.  You will need to obtain a new SSL certificate that has been signed by a valid Root CA.

If your certificate does name a Root CA, you will need to find out if it is included in the browser's own list of trusted Root CA's, or obtain a new SSL certificate that has been signed by a valid Root CA that the browser recognises. 

Additional Information

The above issue with the SSL certificates is generally a concern that falls outside of Service Desk and should be examined by your network and security teams.  SDM Support does not control how your SSL certificates are created, nor can we recommend a root CA to which to work with as this is a policy maintained by your organisation.