Whenever a connection is being established, Kerio VPN Client performs verification of the VPN server's SSL certificate (the same verification is performed by web browsers when attempting to use the HTTPS protocol). If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.
Click on the Details option to get detailed information about the VPN server's certificate (issuer, server for which it was issued, expiration date, etc.). Regarding this information, user can select one of the following options:
Cancel — cancels the operation in case that any doubts about trustworthiness of the VPN server occur. It is also recommended to contact the server administrator and inform them about any issues under such circumstances.
Continue — adequate for cases where the server can be trusted and certificate issues are only temporary. The Kerio VPN Client allows connection to the server only for this time and next time the warning message will be displayed again (unless the certificate issue would have been solved by the time).
Continue and always trust the certificate (the Always trust option). The certificate will be saved in the system Keychain and from now on, no warning will be displayed. This option is adequate especially if the server uses a self-signed certificate.
Note: On Mac OS X 10.4 Tiger, it is not allowed to set a self-signed certificate as always trusted. To break this restriction and set the certificate as always trusted anyway, it is necessary to insert the certificate in the keychain manually — see below.
Warning
Should any obscurity occur or identity of the VPN server be doubted, contact the firewall administrator immediately.
On Mac OS X 10.4 Tiger, it is not possible to set a self-signed certificate as always trusted (only certificates issued by a trustworthy certification authority is allowed to be saved in the system keychain). To break this rule, follow this procedure:
In the window warning you that the certificate is not trustworthy (see figure 2.5 A dialog informing about detected problems with the VPN server's certificate), click on the certificate image and drag it to the desktop. This creates a file with the certificate on the desktop (e.g.
server.company.com.cer).Important note: The Keychain Access application must NOT be running at the moment. If it is running, close it.
Clicking on the certificate file on the desktop runs the Keychain Access application and displays a dialog asking for specification of the keychain to save the certificate in.
Select the X509Anchors keychain. This keychain contains certificates that are allowed to sign other certificates (these are typically certificates of certification authorities).
To add a certificate successfully, authentication with an administrator account is required.
In the Keychain Access application, select the X509Anchors keychain, look up the new certificate (e.g. server.company.com) and click on it to open it.
In the certificate window, scroll to the bottom, open the Trust Settings section and set the Always Trust option for the When using this certificate entry.
Close all running applications and log out of the system.
Reboot the system and try to establish a VPN connection to the particular server. From now on, no untrustworthy certificate warning should display.
