What Happens When Root CA is Not Installed?
When you do not properly install the Root CA certificate as trusted, or install it incorrectly (for example in the wrong certificate store) the following messages will be shown in the browsers.
Microsoft Edge or Google Chrome
In this case the browser will show the following error.
Your connection isn't private
Attackers might be trying to steal your information from www.google.com (for
example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
www.google.com uses encryption to protect your information. When Microsoft Edge
tried to connect to www.google.com this time, the website sent back unusual and
incorrect credentials. This may happen when an attacker is trying to pretend to
be www.google.com, or a Wi-Fi sign-in screen has interrupted the connection.
Your information is still secure because Microsoft Edge stopped the connection
before any data was exchanged.
You can't visit www.google.com right now because the website uses HSTS. Network
errors and attacks are usually temporary, so this page will probably work later.
If you click on the lock in the address bar of the proxy and select Certificate it will clearly be indicated as invalid.
The certificate properties window will indicate the certificate as invalid with the reason The issuer of this certificate could not be found.
Mozilla Firefox
In this case the browser will show the following error.
Software is Preventing Firefox From Safely Connecting to This Site
www.google.com is most likely a safe site, but a secure connection could not
be established. This issue is caused by proxy.example.lan, which is
either software on your computer or your network.
What can you do about it?
www.google.com has a security policy called HTTP Strict Transport
Security (HSTS), which means that Firefox can only connect to it securely.
You can’t add an exception to visit this site.
If your antivirus software includes a feature that scans encrypted
connections (often called “web scanning” or “https scanning”), you can
disable that feature. If that doesn’t work, you can remove and reinstall
the antivirus software.
If you are on a corporate network, you can contact your IT department.
If you are not familiar with proxy.example.lan, then this could
be an attack, and there is nothing you can do to access the site.
Clicking on Advanced button you will see the MOZILLA_PKIX_ERROR_MITM_DETECTED error code. The View Certificate will show the Web Filtering Proxy as certificate issuer.
In order to correct these errors ensure the Root CA certificate is installed correctly as described in the previous article.