Messages "Certificate verification problem detected" and "Cannot guarantee authenticity of the domain to which encrypted connection is established" when trying to open a website
Show applications and versions that this article concerns
- Kaspersky Standard, Plus, Premium
- Kaspersky Anti-Virus
- Kaspersky Internet Security
- Kaspersky Total Security
- Kaspersky Security Cloud
- Kaspersky Small Office Security
Issue
When opening a website, a warning message appears stating that "Certificate verification problem detected" or "Authenticity of the domain to which encrypted connection is established cannot be guaranteed".
Cause
- The website may not be safe.
There is a possibility that intruders may steal your account data and other personal information. We do not recommend visiting such websites. - Default encrypted connections scan settings have been changed.
In this case, the warning may appear in the applications installed on your computer. To fix the issue, restore the default Scan encrypted connections upon request from protection components option using these instructions.
For other possible causes and solutions, see below.
Solution
If you are sure that the website is safe (for example, it's the official Microsoft website or an official page of your bank) and you visit it regularly, add this website to the exclusions using the instructions:
- Kaspersky Standard, Plus, Premium
- Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud, Kaspersky Small Office Security
The message will no longer be displayed, the site will open.
If the warning appears on a website you don't use often:
- Check the website link with the Kaspersky Threat Intelligence Portal.
- If the link was identified as safe, allow opening the website once:
- To do so, click Show details → I wish to continue in the browser window.
- Click Continue in the pop-up window.
Possible causes
- The certificate has been revoked. The website owner can request revocation if the site was hacked.
- The certificate was issued illegally. The certificate must be issued by a certification authority after the check.
- Windows root certificates are not updated. For example, the DST Root CA X3 certificate, on which website certificates in a browser are based, expired on September 30, 2021. In this case:
- To see on which Windows root certificate the website certificate is based, click View certificate in the warning message.
- Go to the Certification Path tab.
- Update root certificates for Windows 7, 8, 8.1, 10, 11 using these instructions.
- The certificate chain is broken. The certificates are checked in a chain from the self-signed certificate to the trusted root certificate issued by the certification authority. The certificates in between are used for verification of other certificates in a chain.
Possible causes of the broken certificates chain:- The chain consists of one self-signed certificate. Such certificates are not verified by the certification authority and cannot be trustworthy.
- The chain does not end with a trusted root certificate.
- The chain contains certificates which are not meant to sign other certificates.
- The root or intermediate certificate has expired or its time has not come yet. The certification authority issues a certificate for a limited period of time.
- The chain cannot be built.
- The domain specified in the certificate does not match the website to which the connection is established.
- The certificate is not meant to confirm the node authenticity. For example, the certificate is intended only for encrypting the connection between the user and the website.
- Usage policy violation.
The policy of the certificate is a set of rules which defines the use of the certificate with the specific security requirements. Each certificate must correspond to at least one policy. If there are several policies, the certificate must correspond to all of them. - Certificate structure is broken.
- An error has occurred when checking the certificate signature.
How to add a website to exclusions in Kaspersky Standard, Plus, Premium
- In the main window of your Kaspersky application, click and go to Security settings.
To learn how to open the main application window, see the instructions.
- Go to the Advanced settings and click Network settings.
- Click Trusted addresses → Add.
- Specify the website address that was displayed in the certificate warning message. Set the status to Active and click Add.
- Click Save.
- Click Save → Confirm.
How to add a website to exclusions in Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud, Kaspersky Small Office Security
- In the main window of your Kaspersky application, click .
- In the settings window, go to the Network settings section and select Trusted addresses (Manage exclusions in version 21.2 and earlier).
- Click Add.
- Specify the website address that was displayed in the certificate warning message. Select the Active status and click Add.
- Click Save.
- Click Save → Yes.
How to update root certificates on Windows 7, 8, 8.1, 10, 11
- Download the CA.zip archive.
- Extract the files from it to the C:\CA folder. If there is no such folder, create it.
Make sure that the files from the archive are located in this folder. - Open the command line as administrator using the instructions.
- Run the command:
After running the command, a new line will appear. This means that the update was successful.
- Restart your PC.
We also recommend to install all the available updates for Windows and the browser you are using.
What to do if the issue persists
If the issue persists, contact Kaspersky Customer Service.
You can look up your problem on our Forum or create a new topic with a detailed description of the issue.