First, what I know about certificates is…well…nonexistent if I’m being honest. I’m hoping one of you knows enough to point us in the right direction.
The desktop version of PDS Church Office won’t connect to the PDS’s middleware for one of our parishes because the parish is getting the following error when they try to connect.
“We are unable to make a connection to the server. Please check these settings. The error reported is: The certificate authority is invalid or incorrect.”
PDS has determined the error is at the parish.
Their network guy is not a professional. He is a volunteer. I think he’s done something to tighten up security or limit access (because he is famous for that) but now doesn’t know what he’s done.
Can anyone suggest a couple of things he can try…or point us in some sort of direction.
I told them to call a network professional but in the past he has barred professionals from making any changes. (That is a topic for another post.)
I want to blame the router but don’t know if my instincts are right. They use ESET a/v but so do 50 other parishes and none of them are reporting the same error.
Sounds a lot like a mis-configured SSL Inspection solution. Are users not getting any warnings in their browsers?
Unfortunately, without any idea of what this person might be doing it’s hard to know exactly which one of the many possible misconfigurations they have made.
Is he strictly a network guy or does he make OS changes as well? What OS does the desktop version run on?
One reason for this error is you don’t trust the CA that is signing the cert for the middleware. In Windows, you have to check the trusted and intermediate cert stores.
You should be able to determine this by visiting the URL of the middleware in a browser if you know that information.
Sorry K, certificates are necessarily complicated… There is a chain of certificates comprised of one or more CA certificates (CA is abbreviation for Certificate Authority) and finally a terminal digital certificate. The CA’s issue cther digital certificates which could be other CA certificates, or terminal certificates. Each chain of certificates is a chain of trust. What your computer is telling you is that it cannot verify one of the CA certificates, and hence it cannot be trusted. in your case, I am assuming the terminal digital certificate is on the middleware server you were trying to connect to. so, the office PC that is trying to use the certificate to form an encrypted connection to keep your information safe, either has an incorrect CA in the chain, or possibly there is an other problem with an existing CA certificate. I am sure that a commercial company would probably use what are known as public CAs to issue the certificate on their web servers, which are usually included in the operating systems default store of CA’s.
So the previous two fellows have listed some good things to check; either the router is doing something called “man in the middle“ and replacing the real terminal certificate with one that the router generates, so it can break the encryption and do what’s called deep packet inspection. It then acts as the client itself to re-encrypt the packet back to the middleware. If it is generating a terminal certificate like that, your PCs in the office would have to trust the router as a CA for it to work. The other possibility is that he “cleaned up” the CA’s in the affected office PC, and now you are missing a necessary CA in the chain. in Windows, this is found in what’s known as the Certificate Store which is subdivided into various parts, that look like folders in the graphical interface. in macOS, it would be found in Keychain Access.
Hopefully this gives you something to go on, and resolve your problem.