Browser shows "Not Secure" after replacing SSP-I Certificates
search cancel

Browser shows "Not Secure" after replacing SSP-I Certificates

book

Article ID: 433750

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Symptoms

  • After replacing a self-signed certificate with an organization-signed certificate on the Security Services Platform Installer (SSP-I), the web browser still displays a "Not Secure" warning.

  • The browser error code is typically NET::ERR_CERT_AUTHORITY_INVALID or SEC_ERROR_UNKNOWN_ISSUER.

  • Running this from CLI of SSP-I shows:

    openssl s_client -connect <FQDN>:443 -showcerts

    Returns: verify error:num=19:self-signed certificate in certificate chain.

Environment

vDefend Security Services Platform 5.1.1

Cause

This issue occurs because the Client Machine (your workstation) does not recognize or trust the Root Certificate Authority (CA) that issued the new organizational certificate.

While the SSP-I server is correctly presenting the certificate, the browser will flag the connection as insecure until the issuing Root CA is manually added to the workstation’s local Trusted Root store.

This is common with internal private CAs that are not part of the public global trust list (like DigiCert or Let's Encrypt).

Resolution

Step 1: Verify the URL

Ensure you are accessing the platform using the Fully Qualified Domain Name (FQDN) (e.g., https://sspi-fqdn.domain) and not the IP address. SSL certificates are tied to names, not IP addresses.

Step 2: Export the Root Certificate

  1. Navigate to the System > Certificates section in the SSP-I UI.

  2. Click View Certificate Chain.

  3. Select the top-level certificate in the hierarchy (the Root CA).

  4. Click Export and save the file (e.g., root_ca.crt) to your local machine.

Step 3: Install the Root CA on the Workstation (Windows)

  1. Double-click the exported .crt file and select Install Certificate.

  2. Choose Local Machine and click Next.

  3. Select Place all certificates in the following store.

  4. Browse and select Trusted Root Certification Authorities.

  5. Complete the wizard and click Yes on the security confirmation prompt.

Step 4: Verify Success

  1. Close all browser windows (or use a new Incognito/Private window).

  2. Navigate to the FQDN URL.

  3. The address bar should now display a Padlock icon, indicating a secure connection.

Powered by Wolken Software