Nx Witness User Manual
Nx Witness Server certificate validation occurs on the communication between Nx Witness Server, Nx Witness Clients (Desktop Client and Mobile Client), and Nx Cloud to enhance the security of Nx Witness by ensuring you are connecting to a trusted location.
While the Client connects to the System, the System will provide the public keys from every Server to the Client for validation. No matter which level is configured, there will be no warning message displayed at all when you connect to a System having a valid (public) certificate with a matching hostname.
Note: A valid certificate must be issued by a public Certification Authority (CA) that contains the completed information of the certificate chain. A public certificate without a certificate chain will be considered invalid in Nx Witness. See "Obtaining and Installing an Authorized Certificate" for details. Trusted Man In The Middle certificates are trusted on the Desktop Client side.
For other types of certificates, the behavior will depend on the Client’s validation level:
•Disabled – The Client will skip the validation process and connect to the System directly. The User will not see a warning message. However, it is still NOT recommended to turn the validation off since certificate validation is recommended as a part of the security hardening process of any System.
•Recommended (default) – It allows the User to connect to the System with any certificate, but it may require the user’s confirmation. You may still see the warning message in the following situations:
oConnected to an UNKNOWN System – When a Client attempts to connect to a new System for the first time, that means the Client has no information about the servers’ certificates before. When the System provides the certificate(s) that is custom/self-signed, or public certificate without chain information, a “Connecting to Server for the first time?” prompt may appear stating that the SSL certificate could not be verified automatically. Once the Client approves this connection, the certificate will be stored at the Client’s end. It is expected that no warning message will pop up again for any further connections until the certificate expires/changes.
oConnected to a KNOWN System – When a User attempts to use the Client to connect a known System but whose certificate(s) cannot be verified successfully (for example, mismatched with the Client's pinned certificate, expired certificate, etc.), the Client will display the warning message: “Cannot verify the identity of # Server ”.
The User is prompted to take further action and check the certificate's problems. The User can check the I trust this/these Servers checkbox and then click Connect Anyway to connect to the Servers. This message will be seen every time the User attempts to connect to the System until the issue with the certificate has been fixed.
oStrict – With this mode, the servers that use the default self-signed certificates will also be rejected by the Client. It forces the User to connect to Servers with only a valid (public) certificate and correct hostname. The User will see the warning message below when they attempt to connect to the System with an invalid certificate or a mismatched hostname.
How to Change the Certificate's Validation Level
To change the validation level in the Desktop Client:
1.Open Main Menu > Local Settings > Advanced tab.
2.Open the Server certificate validation drop-down and select a validation level: Disabled, Recommended, or Strict.
3.Apply changes.
Note: The Server certificate validation level can also be modified in the Mobile Client.
How to Check the Certificate's Details
To check the Server's SSL certificate validity and information:
Desktop Client
1.Open Server Settings > General.
Note: Any available pinned/custom certificate will be listed here.
2.Click the certificate to view its details.
1.Visit the Web and click the Not secure indicator in the address bar.
2.Click on the certificate’s status to open its details
3.Review the certificate's information, such as issuer and expiration date.
How to Renew the Expired Certificate
•Self-signed Certificates from Nx Witness
Restart the Server to renew its certificate and try again.
•Public Certificates / Other Self-signed Certificates
Contact your administrator to renew the Server certificate.
