0

I encountered this error on Google Chrome on my Windows 10. I solved it by installing the certificate and now it is working fine.

I wonder, how do I know the certificate I have is legit? That is, that it actually comes from Google and not from a man in the middle?

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
lch
  • 103
  • 4

2 Answers2

9

Based on your description and the link you've provided you've likely installed a CA certificate for SSL interception.

... how do I know the certificate I have is legit? That is, actually comes from Google and not from a man in the middle?

It does not come from Google. It comes from a man in the middle. It might be a legit man in the middle or not. It is usually not legit if you are using some public WLAN. It is usually legit if you are in a company which does SSL interception. But in this case ask your network administrator if you've got the correct certificate.

In any case: don't just install some certificate you've got from somewhere. In case of legal SSL interception these certificates get usually automatically installed at company equipment but you might need to install it on your own equipment (if you are even allowed to use this inside the company network). But in general you should only install such a certificate after someone you trust explicitly told you that this is legal SSL interception and not just because you've got some annoying certificate warning and just want to somehow continue with what you were doing.

For more details see Is it common practice for companies to MITM HTTPS traffic? and Is visiting HTTPS websites on a public hotspot secure?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
1

It sounds like you installed a CA certificate on your Windows 10 device, for Chrome to access a website. It also sounds that you used this cert to access a Google property, and now you're wondering if the certificate was indeed issued by Google.

Unless you've severely messed up your Windows/Chrome installation, you shouldn't need to install any additional certificates on Chrome to access Google properties. Hence, I'd be very very suspicious. (very!)

Fortunately, thanks to certificate transparency there's an easy way to see if the certificate is valid. Go to crt.sh and enter the SHA-256 or SHA-1 fingerprint of your cert. If the cert is valid:

  1. It'll be in the logs; and
  2. You can check the OCSP status to see if it's revoked

Then you might want to check the cert of the actual site you're visiting in the browser using the same methodology. The 'leaf' certificate issued to Google has to be on the logs, if it isn't -- run!

It's unlikely that a rogue certificate issued to Google, that was in the logs wouldn't have been revoked by now.

Just to be extra safe, you can check against other certificate logs as well (Facebook have a wonderful API) and censys provide one as well.

keithRozario
  • 3,631
  • 2
  • 12
  • 25