6

We are running an intranet application which uses a self-signed ssl cert.

The customer does trust our CA.

We are using this way since several years.

On some PCs our CA was not imported and the user does get the warning from the browser everyday.

Unfortunately the users do not tell us this, they just say "accept cert" again and again.

Is there a way to detect the trust of the page?

We are running the web application and would like to get a note, if a browser does accept the cert manually. Then we can get in touch with the admin of the PC and send him a hint that a PC does not trust our CA yet.

Maybe it is possible to detect this way JavaScript?

This is good: ssl-ok

We want to get a note if it looks like this: ssl-no-ok

Update I am not responsible for the client PC. I do not have access to them to install or manage certs.

guettli
  • 25,042
  • 81
  • 346
  • 663
  • Can't you just use `window.location.protocol` and see if it's `https:` or not? – nicholaswmin Feb 08 '19 at 15:00
  • @NikKyriakides please look at the image with the red text. There "https" gets used. The question is about the status of the https connection. Is it trusted or not? – guettli Feb 08 '19 at 15:01
  • I'm entirely wrong anyway. `https:` is reported even if the cert. is deemed invalid. – nicholaswmin Feb 08 '19 at 15:02
  • Simply create a sub-domain `checker.yourdomain.com` signed with the same certificate, create an ajax request to that sub-domain, it will fail if the user is browsing your domain with invalid certificate. I don't think JavaScript has access to SSL certificate state. – Munim Munna Feb 08 '19 at 20:28
  • @MunimMunna yes, a new sub-domain could work. But his means a lot configuration. The same setup gets used 20 times in 20 different locations. But I guess should work. Thank your for this hint. – guettli Feb 09 '19 at 08:25
  • If you use the same certificate for all locations you need only one subdomain, when the certificate is accepted, it will approve all domains. – Munim Munna Feb 09 '19 at 10:21

2 Answers2

5

This is possible, however browser support is not very high at the moment. If you can live with not supporting anything but chromium based browsers and firefox (these do make up the majority of user agents), you can use

window.isSecureContext

to find out, if the browser trusts your cert. So in order to log every time someone does not trust your cert you could do:

if (!window.isSecureContext){
    //do ajax call
}
DysphoricUnicorn
  • 495
  • 7
  • 16
  • 1
    Thank you for this answer. BTW, I read on your StackO page "Always happy to learn new stuff.". You have not asked a question since five years. Are you still happy to learn new stuff? – guettli Feb 15 '19 at 11:41
  • 1
    Yes :), I just prefer to learn without bothering people. When I first got my account I asked a bunch of terrible questions that annoyed the stackoverflow user base so when I can find information without asking a question I prefer that. @guettli – DysphoricUnicorn Feb 15 '19 at 11:56
0

The information is not exposed through Javascript (reference Is there a way to get SSL certificate details using JavaScript?).

Depending on the situation, you can:

1) Use a group policy to deploy your CA to all PC's
2) Use other management software to deploy the CA
3) Use an actual trusted certificate authority (by either purchasing a certificate or using Let's Encrypt)

This an non-exhaustive list, so if you have more information about your environment, I can possible give other options.

Devator
  • 3,686
  • 4
  • 33
  • 52
  • I am not responsible for the client PC. I do not have access to them to install or manage certs. – guettli Feb 09 '19 at 08:27
  • So it the application you've developed on a routable domain? If yes, I highly suggest using Let's Encrypt for a free SSL certificate. – Devator Feb 10 '19 at 18:22
  • Unfortunately it is not on a routable domain. It is in the intranet only. I use Let's Encrypt in different environment. Works fine. – guettli Feb 11 '19 at 11:24
  • If there's an edge machine, is it possible to run for example HAProxy / Traefik on it and proxy to internal from the WAN? This way you can use a routable domain to access the machine. You can still block outside access by the firewall. – Devator Feb 11 '19 at 14:28
  • I know that ReverseProxy from an edge machine with official ip and name to the intranet would solve this issue. But that's not available in my current situation. – guettli Feb 11 '19 at 15:26