6

We are running an intranet application which uses a self-signed ssl cert.

The customer does trust our CA.

We are using this way since several years.

On some PCs our CA was not imported and the user does get the warning from the browser everyday.

Unfortunately the users do not tell us this, they just say "accept cert" again and again.

Is there a way to detect the trust of the page?

We are running the web application and would like to get a note, if a browser does accept the cert manually. Then we can get in touch with the admin of the PC and send him a hint that a PC does not trust our CA yet.

Maybe it is possible to detect this way JavaScript?

This is good: ssl-ok

We want to get a note if it looks like this: ssl-no-ok

Update I am not responsible for the client PC. I do not have access to them to install or manage certs.

Improve this question
6
  • Can't you just use window.location.protocol and see if it's https: or not? Commented Feb 8, 2019 at 15:00
  • @NikKyriakides please look at the image with the red text. There "https" gets used. The question is about the status of the https connection. Is it trusted or not? Commented Feb 8, 2019 at 15:01
  • I'm entirely wrong anyway. https: is reported even if the cert. is deemed invalid. Commented Feb 8, 2019 at 15:02
  • Simply create a sub-domain checker.yourdomain.com signed with the same certificate, create an ajax request to that sub-domain, it will fail if the user is browsing your domain with invalid certificate. I don't think JavaScript has access to SSL certificate state. Commented Feb 8, 2019 at 20:28
  • @MunimMunna yes, a new sub-domain could work. But his means a lot configuration. The same setup gets used 20 times in 20 different locations. But I guess should work. Thank your for this hint. Commented Feb 9, 2019 at 8:25

2 Answers 2

Reset to default
5
+150

This is possible, however browser support is not very high at the moment. If you can live with not supporting anything but chromium based browsers and firefox (these do make up the majority of user agents), you can use

window.isSecureContext

to find out, if the browser trusts your cert. So in order to log every time someone does not trust your cert you could do:

if (!window.isSecureContext){
    //do ajax call
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for this answer. BTW, I read on your StackO page "Always happy to learn new stuff.". You have not asked a question since five years. Are you still happy to learn new stuff?
Yes :), I just prefer to learn without bothering people. When I first got my account I asked a bunch of terrible questions that annoyed the stackoverflow user base so when I can find information without asking a question I prefer that. @guettli
0

The information is not exposed through Javascript (reference Is there a way to get SSL certificate details using JavaScript?).

Depending on the situation, you can:

1) Use a group policy to deploy your CA to all PC's
2) Use other management software to deploy the CA
3) Use an actual trusted certificate authority (by either purchasing a certificate or using Let's Encrypt)

This an non-exhaustive list, so if you have more information about your environment, I can possible give other options.

Improve this answer

5 Comments

I am not responsible for the client PC. I do not have access to them to install or manage certs.
So it the application you've developed on a routable domain? If yes, I highly suggest using Let's Encrypt for a free SSL certificate.
Unfortunately it is not on a routable domain. It is in the intranet only. I use Let's Encrypt in different environment. Works fine.
If there's an edge machine, is it possible to run for example HAProxy / Traefik on it and proxy to internal from the WAN? This way you can use a routable domain to access the machine. You can still block outside access by the firewall.
I know that ReverseProxy from an edge machine with official ip and name to the intranet would solve this issue. But that's not available in my current situation.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.