This only applies Internet Explorer users.
In some scenarios, users trying to access sites with invalid certificates (self-signed being the most common in my case) will NOT have the option to continue to the site.
Thankfully this security is more of a “security by obscurity” rather than something this is actually coded into the software. If you right-click on the page in question and look at the properties, you will see the address is like this:
The workaround as you can probably guess is to change the PreventIgnoreCertErrors=1 to PreventIgnoreCertErrors=0 keeping the #https:// url portion intact.
You can do this by copying the URL above and replacing the some-site-url with the actual site you are trying to reach and pasting that link into IE’s address bar.
You will still get the cert error, but you will now have the option to continue to the site in question. If you then follow-up with the usual method to get around self-signed certs by adding site to trusted locations and installing the cert, you won’t have to use this workaround for that site again.
This technet post has information for the actual fix.
As per TechNet article, you may still need to reduce the RSA Min Public Key Length and potentially allow weak signatures. Obviously this has the potential to expose you to weakly encrypted traffic (just for those weak sites, it doesn’t impact site with proper certs in place).
- Certutil -setreg chain\minRSAPubKeyBitLength 512
- Certutil -setreg chain\EnableWeakSignatureFlags 2