NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR05P00980
Applies to: NoMachine Software
Added on: 2018-05-23
Last update: 2018-05-31
How to solve 'The security certificate presented by this website was not issued by a trusted certificate authority'

The NoMachine server package includes nxhtd, the built-in Apache-based web server to deploy sessions on the web, and a self-signed SSL Certificate for encrypting data traffic between the web server and browsers.

This certificate is not trusted by a Certification Authority neither can match the host name where the NoMachine server package will be installed. It's therefore advisable to replace it with your own certificate, especially when web sessions are run over the Internet and not in a protected network (LAN or VPN).

The  certificate coming with the NoMachine package is not trusted by a CA (Certification Authority), it cannot be therefore verified by the browser, which will consequently advise the user with a message like:

'There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority.'

This message is not blocking, but it's advisable to adopt your own certificate to strengthen your web site, especially if it's reachable over the Internet.
 

Additionally, the NoMachine nxhtd-error.log file reports:

NXhtd:4443:0 server certificate does NOT include an ID which matches the server name

because the built-in certificate has been generated on a different machine. It's therefore necessary that the new certificate is generated for the host where it has to be used.

 

To solve browser's message: 'the security certificate presented by this website was not issued by a trusted certificate authority.' there are at least two possibilities.

1. Create a self-signed certificate and make it trusted (become your own CA)

Generate your own root certificate and private key: see  https://www.nomachine.com/AR04K00665 for accessing instructions to generate a self-signed certificate with NoMachine tools.

Generate that on the same NoMachine server host where you plan to use the certificate.

Add the root certificate to each browser that will need to run the web session. In this way the ceritificate will be internally trusted for your net.

Depending on the Operating System, it may be necessary to add the certificate to the system or to the browser; different browsers have different procedures to add root certificates. Please refer to the official documentation of your browser and system for detailed instructions.

 
As an alternative:

2. Acquire a certificate from a CA

In order to choose the Certification Authority, it is advisable to verify its compatibility with the browser. Root certificate of most common CAs are already embedded in major browsers like Firefox, Chrome or Safari: the browser should already have a copy or be able to access a copy of the CA root certificate from the operating system. This will avoid to add the certificate to each user's device as required by the first solution.

Create a SSL key pair, for example by using the OpenSSL tool.

On the same host where you plan to use the certificate, generate the CSR, Certificate Signing Request and provide all information e.g. Common Name CN, Organization O, Country C etc...) that will be necessary to CA for creating your certificate. CSR can be also generated by using OpenSSL tools. We recommend to refer to the official documentation for your operating systems, since instructions can vary.

The CA will then send you a certificate signed by them with their root certificate and private key.

Put the signed certificate in place for NoMachine web sessions (you can rename the original one to preserve it), it should be named as:

installation directory/etc/keys/host/ht_host_rsa_key.crt

and put in place the private key as well:

installation directory/etc/keys/host/ht_host_rsa_key