Follow

Web Portal - Browsing the Web Portal results in error: 'The certificate chain was issued by an untrusted certification authority (CA)' when using a Unified Access Gateway.

Article Under Development
The following article is under development, and is being expanded as we receive customer feedback with various gateways.  If you have any feedback that you feel will assist in the correct expansion of this article, please open a ticket referencing this.

 

Symptoms:

By default the Print Manager Plus Web Portal, runs under HTTPS so that all passwords and data sent are encrypted. However the default certificate is 'Self Signed' and can generate errors when browsing the site using secure intranet gateways such as the Microsoft Forefront Unified Access Gateway (UAG).

Known Error:
The certificate chain was issued by an untrusted certification authority (CA)

 

Cause and Solutions:

The primary cause, is that by default most gateways don't support servicing an untrusted certificate to it's users.

Below are four solutions to resolve the issue.

Solution 1: Obtain a Trusted Certificate

If your server is public facing, the simplest and most secure solution is to obtain a trusted certificate for your web server that is running the Print Manager Plus Web Portal.

This process is done within Internet Information Services on your server on the Website named 'PMP'.  The exact choice of certificate, request and installation is beyond the scope of our product or its documentation, though there are many certificate authorities that can help you. 

Below are a few certificate authorities and their instructions:
Digicert
GoDaddy
SSL Shopper



Solution 2: Add the Self Signed Cert as a Trusted Certificate

You can add the self signed PMPWebPortal Certificate to your Trusted Root Certificates on your UAG server with the following steps. 

Exporting Certificate from Primary Installation Server:

  1. Open Certificates MMC for Local Computer
    This can be done by clicking Start > Run, and then typing mmc.


    Within MMC, go to File > Add/Remove Snap-In.


    Next choose 'Certificates' and 'Computer Account' when prompted for what certificates to manage.




    Next choose 'Local Computer' when choosing the computer to manage.


  2. Locate the 'PMPWebPortal' Certificate
    Next you will expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates and locate the certificate created during Print Manager Plus installation.
    It will have a Friendly Name of 'PMWebPortal'


  3. Export the Certificate: 
    Right click the certificate, and export it with all default options.






    Select a location for your exported certificate:


Importing the Certificate on your UAG Server:

  1. Open Certificates MMC for Local Computer
    This can be done by clicking Start > Run, and then typing mmc.


    Within MMC, go to File > Add/Remove Snap-In.


    Next choose 'Certificates' and 'Computer Account' when prompted for what certificates to manage.




    Next choose 'Local Computer' when choosing the computer to manage.


  2. Import Certificate 
    Within Certificates, browse to Certificates > Trusted Root Certification Authorities > Certificates.  Right click and choose [Import]






  3. UAG should now consider it a trusted certificate.

 

Solution 3: Allow Untrusted within your Gateway

This will vary depending on your gateway.  Below are known settings for some gateways.

Allow Untrusted Certificates in Microsoft Forefront:
This can be done by disabling the ValidateRwsCert and ValidateRwsCertCRL setting following by performing an IIS reset.  This is done in the registry. For exact location please consult Technet documentation at below link.
Forefront UAG registry keys 

 

 

Solution 4: Use the HTTP Insecure version of the Web Portal

There is also a non-secure link to the Web Portal that has no SSL Cert, so cannot have any trust issues.  This is typically the same link, but hosted on port 48110 by default.  You can get your link from the start menu and configure your Gateway redirect to this link instead of the secure version.

It is not recommended to use the insecure version, unless you have taken care of ensuring traffic to that URL has been fully secured using your own gateway's security.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk