Messages "Certificate verification problem detected" and "Cannot guarantee authenticity of the domain to which encrypted connection is established" when trying to open a website
This article concerns:
- Kaspersky Basic, Standard, Plus, Premium
- Kaspersky Anti-Virus
- Kaspersky Internet Security
- Kaspersky Total Security
- Kaspersky Security Cloud
- Kaspersky Small Office Security
Issue
When opening a website, a warning message appears stating that "Certificate verification problem detected" or that "Authenticity of the domain to which encrypted connection is established cannot be guaranteed".
Cause
The website may not be safe. There is a possibility that intruders may steal your account data and other personal information. We do not recommend visiting such websites.
For detailed information about what can cause the message to appear, see the section below.
If the warning appears not for websites but for applications installed on your computer, this means default encrypted connections scan settings have been changed. To fix the issue, restore the settings to default.
Solution
If you are sure that the website is safe (for example, if it's the official Microsoft website or an official page of your bank) and you visit it regularly, add this website to the exclusions. See the instructions for the following applications:
- Kaspersky Basic, Standard, Plus, Premium
- Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud, Kaspersky Small Office Security
If the notification appears on a website you don't use often, you can allow opening it once. To do so:
- Click Show details → I wish to continue in the browser window.
- Click Continue in the pop-up window.
If you are not sure if the website is safe, you can check it with OpenTip before proceeding.
Why does the warning message appear
- The certificate has been revoked. For example, the website owner can request revocation if the site was hacked.
- The certificate was issued illegally. The certificate must be issued by a certification authority after a proper check.
- Windows root certificates are not updated. For example, the DST Root CA X3 certificate, on which website certificates in a browser are based, expired on September 30, 2021. To see on which Windows root certificate the website certificate is based, click View certificate in the warning message ang go to the Certification Path tab. For instructions on updating root certificates on Windows 7, 8, 8.1, 10, see below.
- The certificate chain is broken. The certificates are checked in a chain from the self-signed certificate to the trusted root certificate issued by the certification authority. The certificates in between are used for verification of other certificates in the chain.
Possible causes of the broken certificates chain:- The chain consists of one self-signed certificate. Such certificates are not verified by the certification authority and cannot be trustworthy.
- The chain does not end with a trusted root certificate.
- The chain contains certificates which are not meant to sign other certificates.
- The root or intermediate certificate has expired or its operation period has not begun yet. The certification authority issues a certificate for a limited period of time.
- The chain cannot be built.
- The domain specified in the certificate does not match the website to which the connection is established.
- The certificate is not meant to confirm the node authenticity. For example, the certificate is intended only for encrypting the connection between the user and the website.
- Certificate usage policy has been violated. The policy of the certificate is a set of rules which defines the use of the certificate with the specific security requirements. Each certificate must correspond to at least one policy. If there are several policies, the certificate must correspond to all of them.
- Certificate structure is broken.
- An error occurred when checking the certificate signature.
How to remove the certificate warning messages by adding the website to the exclusions list in Kaspersky Basic, Standard, Plus, Premium
- In the main window of your Kaspersky application, click
.
- Go to Security settings and click Network settings.
- Click Trusted addresses → Add.
- Specify the website address that was displayed in the certificate warning message. Select the Active status and click Add.
- Click Save.
- Click Save → Confirm.
The website will be added to trusted and excluded from scanning.
How to remove the certificate warning messages by adding the website to the exclusions list in Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Security Cloud, Kaspersky Small Office Security
- In the main window of your Kaspersky application, click
.
- In the settings window, go to the Network settings section and select Manage exclusions.
- Click Add.
- Specify the website address that was displayed in the certificate warning message. Select the Active status and click Add.
- Click Save.
- Click Save → Yes.
The website will be excluded from the encrypted connections scan scope.
How to update root certificates on Windows 7, 8, 8.1, 10, 11
- Download the CA.zip archive.
- Extract the files from it to the C:\CA folder. If there is no such folder, create it.
- Open the command line as an administrator. See this article for instructions.
- Run the following command:
After running the command, a new line will appear. This means that the update was successful.
- Restart your computer.
Root certificates will be updated. We also recommend to install all the available updates for Windows and the browser you are using.
What to do if the message keeps reappearing
If you have already added the website to the list of scan scope exclusions but the certificate warning message keeps reappearing, restart your Kaspersky application or your computer.
If restarting the application doesn't help, contact Kaspersky customer service by choosing the topic of your request.
Customer service for Kaspersky Free is not provided. You can ask a question about your issue on our Forum or look it up in the existing topics.
If you want full support, buy and install a supported Kaspersky application for home.