How to remove certificate warning in a browser [KES for Windows]

[Igor Akhmetov]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is about Kaspersky Endpoint Security for Windows (KES for Windows)

You may come across an occasion when instead of an internal webpage you will have a warning message in a browser if you have Scan encrypted connections option enabled.

You should not blindly add certificates to a Trusted Root Certification Authorities storage just to remove a legitimate warning. Doing so may impact a protection level of your working environment.

Step-by-step guide

Prerequisites:

1. Enable Scan encrypted connections in KES policy.
2. Use self-generated certificate in a web server configuration.
3. Open an internal webpage in a browser.

Solutions:

• Add your self-signed certificate to a system certificate storage in Trusted Root Certification Authorities section. It will make not only KES but all web browsers to trust this website. Except for Firefox, it uses internal certificate storage to determine trust relationships.

To make Firefox use Trusted Root Certification Authorities storage do the following:

1. Open Firefox Mozilla 
2. Go to page about:config
3. Find the setting security.enterprise_roots.enabled 
4. Change its value to True

•  Add FQDN of a web site into Trusted domains section of an Encrypted Connection Scan settings in KES policy.
•  If client is working without proxy server you may configure Trusted Applications in KES policy.  Add a web browser into Trusted Applications list,  enable option Do not scan network traffic, than you will add IP address of a web server for which you don't want to have an alert. 

Explanation

This message is generated by KES as a response to a mismatch between FQDN and certificate attributes obtained during a scan of encrypted connection.