Whenever a connection is being established, Kerio VPN Client performs verification of the VPN server's SSL certificate (the same verification is performed by web browsers when attempting to use the HTTPS protocol). If any certificate-related problems are detected, a warning appears inquiring whether the user finds the VPN server trustworthy and whether the connection to the server should be allowed.
Click to get detailed information about the VPN server's certificate (issuer, server for which it was issued, expiration date, etc.). According to the information provided, the user can decide whether to handle the server as trustworthy and allow the connection or to forbid it.
If is clicked, Kerio VPN Client considers the VPN server as trustworthy. The certificate is saved and no warning is displayed upon next connections to the server.
Certificate-related problems are often caused by one of the following issues:
- The certificate was issued by an untrustworthy authority
Kerio VPN Client verifies whether a certificate was issued by an authority included in the list of trustworthy certificate publishers stored in the operating system (the Certificates section of the Content tab under Control Panel / Internet Options). Since a certificate is imported, any certificates issued by the same authority will be accepted automatically (unless any problem is detected).
- The name referred in the certificate does not match with the server's name
Name of the server specified in the certificate does not correspond with the server name which Kerio VPN Client is connecting to. This problem might occur when the server uses an invalid certificate or when the server name has changed. However, it may also point at an intrusion attempt (a false DNS record with an invalid IP address is used).
Note: Certificates can be issued only for servers' DNS names, not for IP addresses.
- Date of the certificate is not valid
For security reasons, validity of SSL certificates is limited by time. If an invalid date is reported, it means that the certificate's validity has already expired and it is necessary to update it. Contact the VPN server's administrator.
- The security certificate has changed since the last check
When a user accepts connection to a VPN server, Kerio VPN Client saves the certificate of the server as trustworthy. For any later connections, Kerio VPN Client checks certificates with the saved one. If these certificates do not correspond, it might be caused by the fact that the certificate has been changed at the server (e.g. for expiration of the original certificate). However, this might also point at an intrusion attempt (another server using a different certificate).
Warning
Should any obscurity occur or identity of the VPN server be doubted, contact the firewall administrator immediately.