In this article:
    Applicable to:
    • Twingate Component: Client
    • Platform: Linux, Windows, macOS

    Overview

    Users may encounter an "Untrusted Certificate" warning when accessing websites that are blocked by Twingate's internet security policies in Integrated Development Environments (IDEs) that use embedded browsers. This occurs because the block page presented uses an SSL certificate issued by NextDNS, which may not be trusted by the IDE’s embedded browser due to its separate certificate store.

    Symptoms

    • When accessing a blocked website, users see a block page with an "Untrusted Certificate" warning.
    • The warning is specific to IDEs with embedded browsers, as they maintain their own trusted certificate stores.
    • Standard browsers (e.g., Chrome, Firefox, Edge) typically do not present this warning.

    Troubleshooting

    1. Check if the warning occurs when accessing a blocked site due to an internet security policy.
      The warning is triggered when a user tries to access a website blocked by Twingate's policies, and the block page is presented with an SSL certificate issued by NextDNS.

    2. Determine if the issue is specific to the embedded browser in the IDE.
      Verify that the issue only happens in the IDE and not in regular web browsers, which generally trust the NextDNS root certificate, but they may not. Make sure the NextDNS Blockpage CA cert is being trusted.

    3. Locate the certificate store of the embedded browser in the IDE.
      The location of the trusted certificate store will be displayed at the bottom of the untrusted certificate warning window.

     

    Resolution

    To resolve the untrusted certificate warning, users need to manually import the NextDNS certificate into the IDE’s embedded browser certificate store:

    1. When the untrusted certificate warning appears, note the certificate store location at the bottom of the warning window.
    2. Download the NextDNS certificate (if needed) or obtain it from the SSL block page.
      Make sure to download the NextDNS Blockpage CA cert, as the NextDNS Blockpage Edge CA & blockpage.nextdns.io certs are on a short rotation.
    3. Navigate to the certificate store location within the IDE.
    4. Follow the IDE’s process for importing the NextDNS certificate into its trusted root store.

    Once the certificate is imported, the embedded browser should trust the NextDNS certificate, and the warning should no longer appear.