Whenever a connection is being established, Kerio VPN Client performs verification of the VPN server's SSL certificate (the same verification is performed by web browsers when attempting to use the HTTPS protocol). If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.
Click to view detailed information about the VPN server's certificate (issuer, server for which it was issued, expiration date, etc.). According to the information provided, the user can decide whether to handle the server as trustworthy and allow the connection or to forbid it.
If is clicked, Kerio VPN Client considers the VPN server as trustworthy. The certificate is saved and no warning is displayed upon next connections to the server.
Note: For more information on VPN servers' certificates, see the Kerio WinRoute Firewall — Administrator's Guide.
Certificate-related problems are often caused by one of the following issues:
- The certificate was issued by an untrustworthy authority
Kerio VPN Client verifies whether a certificate was issued by an authority included in the list of trustworthy certificate publishers stored in the operating system (the Certificates section of the Content tab under Control Panel / Internet Options). Since a certificate is imported, any certificates issued by the same authority will be accepted automatically (unless any problem is detected).
Note: When the Generate Certificate option is used, a self-signed certificate is created — the publisher of the certificate is identical with its subject. This type of certificate does not guarantee the highest security and it cannot be accepted automatically at the client's side. To provide full security, it is necessary to use a certificate issued by a trustworthy certification authority. For details, refer to the Kerio WinRoute Firewall manual.
- The name referred in the certificate does not match with the server's name
Name of the server specified in the certificate does not correspond with the server name which Kerio VPN Client is connecting to. This problem might occur when the server uses an invalid certificate or when the server name has changed. However, it may also point at an intrusion attempt (a false DNS record with an invalid IP address is used). It is recommended to discuss this issue with the administrator of the corresponding VPN server.
Note: Certificates can be issued only for servers' DNS names, not for IP addresses.
- Date of the certificate is not valid
For security reasons, validity of SSL certificates is limited by time. If an invalid date is reported, it means that the certificate's validity has already expired and it is necessary to update it. Contact the VPN server's administrator.
- The security certificate has changed since the last check
When a user accepts connection to a VPN server, Kerio VPN Client saves the certificate of the server as trustworthy. For any later connections, Kerio VPN Client checks certificates with the saved one. If these certificates do not correspond, it might be caused by the fact that the certificate has been changed at the server (e.g. for expiration of the original certificate). However, this might also point at an intrusion attempt (another server using a different certificate). Contact the VPN server's administrator.