DW Spectrum Server certificate validation occurs on the communication between DW Spectrum Server, DW Spectrum Clients (Desktop Client and Mobile Client), and DW Cloud to enhance the security of DW Spectrum by ensuring you are connecting to a trusted location. While the Client connects to the System, the System will provide all servers’ public keys to the Client for validation. No matter which level is configured, there will be no warning message displayed at all when you connect to the System with a valid (public) certificate and matching hostname.
Note: A valid certificate must be issued by a public Certification Authority (CA) and contains the completed information of the certificate chain. A public certificate without a certificate chain will be considered invalid in DW Spectrum.
For other types of certificates, the behavior will depend on the Client’s validation level:
•Disabled – The Client will skip the validation process and connect to the System directly. The user will not see a warning message. However, it is still NOT recommended to turn the validation off since certificate validation is recommended as a part of the security hardening process of any System.
•Recommended (default) – It allows the user to connect to the System with any certificate, but it may require the user’s confirmation. You may still see the warning message in the following situations:
•Connected to an UNKNOWN System – When a Client attempts to connect to a new System for the first time, that means the Client has no information about the servers’ certificates before. When the System provides the certificate(s) that is custom/self-signed, or public certificate without chain information, a “Connecting to Server for the first time?” prompt may appear stating that the SSL certificate could not be verified automatically. Once the Client approves this connection, the certificate will be stored at the Client’s end. It is expected that no warning message will pop up again for any further connections until the certificate expires/changes.
•Connected to a KNOWN System – When a user attempts to use the Client to connect a known System but whose certificate(s) cannot be verified successfully (for example, mismatched with the Client's pinned certificate, expired certificate, etc.), the Client will display the warning message: “Cannot verify the identity of Server ”. The user will be asked to take further action and check the certificate's problems. The user can check the I trust this server checkbox and then click Connect Anyway to proceed if the user would like to connect to the Server. This message will be seen every time the user attempts to connect to the System until the issue with the certificate has been fixed.
•Strict – With this mode, the servers that use the default self-signed certificates will also be rejected by the Client. It forces the user to connect to Servers with only a valid (public) certificate and correct hostname. The user will see the warning message below when they attempt to connect to the System with an invalid certificate or mismatched hostname.
How to Change the Certificate's Validation Level
To change the validation level in the Desktop Client:
1.Open Main Menu > Local Settings > Advanced tab.
2.Open the Server certificate validation dropdown and select a validation level: Disabled, Recommended, or Strict.
Note: The Server certificate validation level can also be modified in the Mobile Client.
How to Check the Certificate's Details
To check the Server's SSL certificate validity and information:
1.Open Server Settings > General.
Note: Any available pinned/custom certificate will be listed here.
2.Click the certificate to view its details.
1.Visit the Web Admin and click the Not secure indicator in the address bar.
2.Click on the certificate’s status to open its details
3.Review the certificate's information, such as issuer and expiration date.
How to Renew the Expired Certificate
Self-signed Certificates from DW Spectrum
Restart the Server to renew its certificate and try again.
Public Certificates / Other Self-signed Certificates
Contact your VMS administrator to renew the Server’s certificate.