This article discusses how to troubleshoot the most common SSL-related issues in Trend Micro SSL.
Trend Micro SSL certificates can be reissued as many times as needed for the entire validity period of your portal.
- Issue a brand new certificate, or
- Generate a new Certificate Signing Request (CSR), log in to the Trend Micro SSL portal, go to the My Certificates tab, click the order number of the certificate, and click Reissue. Paste your CSR into the text box on the page and click Continue.
The name of the site is specified in the “Issued to” field of the certificate. This name must match whatever is being displayed in the address bar. The “common name” of the certificate cannot be changed without invalidating the certificate. The only course of action would be to generate a new Certificate Signing Request (CSR), this time specifying the correct common name, and then to order a new certificate.
- Firewall or router is blocking the secure port (typically port 443): Ensure that port 443 is open and allows traffic through.
- Port 443 has been assigned for SSL by the web server: In Microsoft IIS, you will need to enter 443 into the SSL port on the website tab of your site. In Apache, you will need to specify “:443” in the virtual host section pertaining to your website.
- Private Key Modulus does not match the Public Key Modulus: If you submit the key file and the certificate file to support, we can check to determine whether the moduli match. If they do not match then it is likely that there has been a mix up with their private keys or the private key has been deleted. If the private key cannot be found you will need to start again and create a new private key and CSR and have the certificate reissued.
- The web server is not configured properly: There must be a unique IP address assigned to the website.
In IIS, the IP address detailed in the IP address field on the website tab of your site must be specified in the Advanced section (click Advanced next to the SSL Port entry). If All Unassigned is present, remove it and add the IP address. You cannot use Host Headers in IIS.
Unix-based web servers (Apache, control panels such as Plesk, Ensim) must be in IP-based mode and not in name-based mode. A unique IP address must be specified in the virtual host section of the site.
- Ensure there is only 1 IP per certificate: Otherwise, conflicts will occur.
- DNS Issues: A site will either have an internal or external IP address. Find out which one you are using. The IP address must route to the domain name somehow.
- Can the site be accessed via the IP address? If the domain name has been recently purchased, then the DNS records needs to propagate (24-72 hours). If an internal IP address is being used, then a Network Address Translator (NAT), Firewall, or router must route the internal IP address to an external IP address in order for the site to be found externally.
- Some web servers require a physical reboot. Leave this option to last as it can cause disruption to service levels of the hosting company
To test your new certificate, open a browser and type your server’s Fully Qualified Domain Name with https://, for example:
Always ensure that Port 443 is open on your firewall.
This is probably because the SSL link is being severed by a BASE command in the <head> section of the page. View the HTML and check whether there is a line like this in the <head> section at the top of the page:
<BASE href=”http://www.yourcompany.com “>
This line forces all relative links to revert to http. Because of this, the SSL session cannot be established and the padlock cannot appear. You will need to remove the <BASE href=”http://www.yourcompany.com “> code from the page and make sure that there are no further file references using http:// on the page.
Alternatively, you can change the line in the <head> section at the top of the page to read as follows:
<BASE href=”https://www.yourcompany.com “>
This will set all relative links to https mode and allow the padlock to appear
This can occur if you are forcing the web server to load content over http rather than https when you are in SSL mode. Check your HTML code and ensure that you have no references to files or graphics that start with src=http://www. yourcompany.com/directory/file.gif.
If you do have reference like this, they must be relative, such as src=/directory/file.gif or absolute using https, such as src=https://www.yourcompany.com/directory/file.gif.
This error occurs when the certificate is being used on a different fully qualified domain name (FQDN) than the one for which it was issued. For example, if your certificate was issued to www. yourcompany.com, using it on secure. yourcompany.com will result in a name mismatch error.
You may also see this Security Alert if you have not installed the intermediate certificate and rebooted your server.