Since Nx Witness 5.0 and Nx Mobile 22.1, we introduced certificate validation on the communication that occurs between Nx Server, Nx Clients, and Nx Cloud to enhance the security of Nx Witness.
Certificate Validation Levels
While the Nx Client connects to the Nx System, the Nx System will provide all servers’ public keys to the Nx Client for validation. No matter which level is configured, there will be no warning message displayed at all when you connect to the system with a valid (public) certificate and matching hostname.
Note: A valid certificate must be issued by a public Certification Authority(CA) and contains the completed information of the certificate chain. A public certificate without a certificate chain will be considered an invalid certificate in Nx Witness. |
For other types of certificates, the behavior will depend on the Nx Client’s validation level:
- Disabled: The Client will skip the validation process and connect to the system directly. The user will not see a warning message. However, it is still NOT recommended to turn the validation off, since certificate validation is recommended as a part of the security hardening process of any system.
- Strict: With this mode, the servers that use the default Nx self-signed certificates will be rejected by the Client as well. It forces the user to connect to Nx Servers with a valid (public) certificate and correct hostname only. The user will see the warning message, shown below, when they attempt to connect to the system with an invalid certificate or mismatched hostname.
- Recommended (default): It allows the user to connect to the Nx System with any kind of certificate, but it may require the user’s confirmation. You may still see the warning message in the following situations:
- Connected to an UNKNOWN system
When a Client attempts to connect to a new system for the first time, that means the Client has no information about the servers’ certificates before.
When the System provides the certificate(s) that is custom/Nx self-signed, or public certificate without chain information, a “Trust this server?” message may appear stating that the SSL certificate could not be verified automatically.
Once the Client approved this connection, the certificate will be stored at the Client’s end. It’s expected that no warning message will pop up again for further connection before the certificate expires/changes. - Connected to a KNOWN system
When a user attempts to use Nx Client to connect a known system but whose certificate(s) cannot be verified successfully (for example, mismatched with the Client's pinned certificate, expired certificate, etc.), the Client will display the warning message: “Cannot verify the identity of Server ”.
The user will be asked to take further actions and check the certificates problems. The user can tick Trust this server, then click Connect anyway to proceed if the user would like to connect to the Serve still. This message will be seen every time while the user attempts to connect the system until the certificate problem has been fixed.
- Connected to an UNKNOWN system
How to Change the Certificate's Validation Level
To change the validation level in the Client:
Nx Desktop
- Open Local Settings > Advanced page
- Open the Server certificate validation dropdown and select a validation level.
- Apply changes.
Nx Mobile
- Open Settings > Security
- Disable the certificate check by toggling the switch (1), or tap Recommended (2) to switch to Strict.
How to check the Certificate's Details
To check the Server's SSL certificate validity and information:
Web Browser
- Visit the Web Admin and click the Not secure indicator in the address bar.
- Click on the certificate’s status to open its details
- Review the certificate's information, such as expiration date.
Nx Desktop
- Open Server Settings > General.
Note: Any available pinned/custom certificate will be listed here. - Click the certificate to view its details.
How to Renew the Expired Certificate
Self-signed Certificate from Nx Witness
Restart the Server to renew its certificate and try again.
Public Certificate / Other Self-signed Certificate
Contact your VMS administrator to renew the Server’s certificate.
Comments
0 comments
Article is closed for comments.