Skip to content

What Happens When Root CA is Not Installed?

When you do not properly install the Root CA certificate as trusted, or install it incorrectly (for example in the wrong certificate store) the following messages will be shown in the browsers.

Microsoft Edge or Google Chrome

In this case the browser will show the following error.

Your connection isn't private

Attackers might be trying to steal your information from www.google.com (for 
example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

www.google.com uses encryption to protect your information. When Microsoft Edge 
tried to connect to www.google.com this time, the website sent back unusual and 
incorrect credentials. This may happen when an attacker is trying to pretend to 
be www.google.com, or a Wi-Fi sign-in screen has interrupted the connection.

Your information is still secure because Microsoft Edge stopped the connection 
before any data was exchanged.

You can't visit www.google.com right now because the website uses HSTS. Network 
errors and attacks are usually temporary, so this page will probably work later.

If you click on the lock in the address bar of the proxy and select Certificate it will clearly be indicated as invalid.

Your Connection is Not Private

The certificate properties window will indicate the certificate as invalid with the reason The issuer of this certificate could not be found.

Certificate Invalid

Certificate No Issuer

Mozilla Firefox

In this case the browser will show the following error.

Software is Preventing Firefox From Safely Connecting to This Site

www.google.com is most likely a safe site, but a secure connection could not
be established. This issue is caused by proxy.example.lan, which is 
either software on your computer or your network.

What can you do about it?

www.google.com has a security policy called HTTP Strict Transport 
Security (HSTS), which means that Firefox can only connect to it securely. 
You cant add an exception to visit this site.

If your antivirus software includes a feature that scans encrypted 
connections (often called web scanning or https scanning), you can 
disable that feature. If that doesnt work, you can remove and reinstall 
the antivirus software.
If you are on a corporate network, you can contact your IT department.
If you are not familiar with proxy.example.lan, then this could
be an attack, and there is nothing you can do to access the site.

Clicking on Advanced button you will see the MOZILLA_PKIX_ERROR_MITM_DETECTED error code. The View Certificate will show the Web Filtering Proxy as certificate issuer.

In order to correct these errors ensure the Root CA certificate is installed correctly as described in the previous article.