How to Recognize a Good Certificate (or a Bad Certificate)
Certificates come from multiple vendors and they will look different depending on the browers and Operating System you are using. However, here are a few tips for recognizing a good certificate versus a bad certificate.
Note: an unsigned certificate is not necessarily a bad thing. Often before a service goes into full production it will have an unsigned certificate.
Certificates are generally purchased by sites that will require you to log in. Whenever you are presented with a certificate it is "proof" that the site you are connecting to is a trusted site. Unfortunately too many users just click the continue button when presented a certificate without stopping to think about what they are accepting. The image below shows a bad certificate.
- Note that even though the certificated indicates that it comes from Apple Inc., the message indicates that the digital signature could not be verified (and in this case did not come from Apple).
- Self-signed indicates that it was produced by person who put the site up, no 3rd party (Signing Authority) has verified the site to be valid and safe.
- Note the drop down menus for Trust and Details. You should examine these to get more information about the certificate.
- If you receive a certificate like this Do not click the Continue button. Contact the IT Support Centre 613 533-6666 and ask for assisance. They will help you determine if the certificate/site is safe.
A Good Certificate
A good certificate will display if Certification Authority is not known. Most valid certificates are automatically accepted and are only shown if you request it.
- In the body of the certificate it will show
Issued by: and the name of the company that issued the certificate, the class, and the expiry date
- In the address bar you may see the name of the company that purchased the certificate. This is an additional cost and not all certificates have this extra information.
- Details - it is always a good idea to check the details for the certificate.
- Only when you are sure the certificate is trustworthy click the OKbutton to accept the certificate.
Another Good Certificate - this one from Firefox
Sometimes a self-signed or expired certificate is ok. The example below show an unsigned certificate for ipam.queensu.ca This is the ID manager at Queen's, used only by ITServices, external certificate verification is not essential.
This is the same self-signed certificate displayed in Safari
- Safari states that it cannot verify the identity of the site
- Click the Show Certificate button to see more details
- if you are not sure that the site is safe, click Cancel
- Contact the IT Support Centre for help in determining if the site is safe to continue to.