0

We had a certificate issued by Verisign and have allowed it to expire as we no longer have need for it.

Clients who have bookmarked the website with a 'https://' URL are greeted with a 'certificate has expired' warning. Some of our documentation may also reference the defunct URL.

Is there someway we can dispense with this warning? Ideally, we would like to simply redirect them to the plain 'http://' version of the website.

5 Answers5

10

The expired certificate warning is purely client-side, so the only you can make the client browsers happy is to present them with a certificate that they like. There's nothing you can do other than put up a certificate that's valid, otherwise the clients are going to present error messages. Even if you put up a redirect, the browser is going to expect to negotiate SSL before receiving the redirect (and will show the user an error message if you're presenting an invalid certificate).

This is the protocol working by-design. One could argue that the protocol should've been designed to allow for a "This resource doesn't need SSL anymore" mode for exactly the situation you're describing, but it wasn't.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Replacement is the key. As a side note ou don't really need to replace it with an expensive cert. You can go with the really cheap certs (e.g. godaddy). – Zoredache Dec 09 '09 at 01:05
2

Although the real answer is that you must have a valid cert as mentioned already, an alternative is to not have a redirect and disable ssl on the server for that ip. This way you would get the browser's standard site not found error rather than one about a bad certificate. It would still be an error, but a more useful one in some circumstances.

JamesRyan
  • 8,138
  • 2
  • 24
  • 36
0

Is there a reason to not renew the cert?

You might not want the customer to use the https site, but as you said they still are.

You can get a cheap ssl cert from GoDaddy for less than $50.

There are others even cheaper options.

Christian Payne
  • 135
  • 5
0

I agree with Evan Andersons answer but there is a way around it.

You can create your own self signed cert using java keytool to create a new Apache/Tomcat keystore. It's difficult but it would work. The user would be presented with a cert that is from an unknown source (you) but you can just import the cert and trust it. Then, from that point forward, you wouldn't be presented with the invalid cert based on a expired date.

djangofan
  • 4,172
  • 10
  • 45
  • 59
-3

Like Evan Anderson wrote, your users will probably still get a warning in their browser. On Apache the redirect should look something like this:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]
Pablo
  • 103
  • 2
  • 4
    There's no "might" about it. They're going to get certificate warnings if they're accessing an HTTPS URL hosted by a web server that presents an invalid certificate. The redirect happens after SSL comes up, so they'll get warned. – Evan Anderson Dec 08 '09 at 23:50
  • I didn't mean to sound like I was mitigating the possibility of that result, it was an agreement with what you said. My post was intended for his need to redirect to http://, presumably so the users only get the certificate warning on the first page load. Based on the downvotes I misunderstood what he needed. – Pablo Dec 09 '09 at 21:59
  • This doesn't answer the question. Using (or not using) a URL redirect won't dispense of the "expired certificate" warning to users. – I say Reinstate Monica Jul 14 '17 at 15:16