<!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style><![endif]--><!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]-->


Forgot to copy you in. We’ll see what Scott says.



David Stenhouse 

      021 226 6987




From: David Stenhouse
Sent: Monday, 8 July 2013 3:33 p.m.
To: Scott Savage ([email address])
Subject: FW: Site Certificate message
Importance: High


Hi Scott

Can you please let me know what we need to do to get this fixed. It appears to be at your end.





David Stenhouse 

Manager Passenger Services

37 Main North Rd,



PO Box 345
New Zealand 

 021 226 6987

website: www.metroinfo.org.nz




From: Claire Nicholls
Sent: Friday, 5 July 2013 9:23 a.m.
To: David Stenhouse
Subject: RE: Site Certificate message
Importance: High


Hi David


We are having issues with some users seeing a security message on our mymetrocard website that Ionata created. It’s taken us a while to figure out what is going on and it looks like it maybe a server issue. Ionata tell us they do not host the site on their server and Lyndon tells us it’s not hosted on a Snap server. Can you tell us where the server is and what it’s called? Is it Rivera or Init?





From: Lyndon Walker
Sent: Thursday, 4 July 2013 8:29 p.m.
To: [email address]
Cc: Claire Nicholls
Subject: RE: Site Certificate message


Thanks Martin


As Snap only provide us with our wide area networks and internet connection, I don’t believe that they have anyting to do with it

Could it be part of our Init equipment at Revera? Clarie?


Can you tell me the name of it?

Or another information that I would  find handy


I will  do a bit of research to the what where this server is






From: Martin Anderson [mailto:[email address]]
Sent: Thursday, 4 July 2013 6:39 p.m.
To: Lyndon Walker
Cc: Claire Nicholls
Subject: Re: Site Certificate message


Hi Lyndon


Regarding the report you that you provided. We don't actually manage the web server.


I believe Snap provides the server itself. We don't have an SLA with ECAN covering server maintenance.


We installed the certificate as provided so in this case I'm not sure what else we can do.


Kind regards,


Martin Anderson


Image removed by sender.


P: (03) 6231 9110
M: 0438 515 595


On 1 July 2013 07:13, Lyndon Walker <[email address]> wrote:


The way the certificate works is to check its validity when the site is loaded

The browser, either on the phone, laptop, tablet, pc or whatever goes out to the internet to a CA (Certificate Authority) to confirm its authenticity

This appears to be failing for these users


Does she have access to a PC to try this on?



We do however need to tighten up the webserver itself, she may have some fancy ssl checker software loaded which is suggesting that she doesn’t continue

See the following report







From: Claire Nicholls
Sent: Monday, 1 July 2013 9:06 a.m.
To: Lyndon Walker
Subject: FW: Site Certificate message


Morning Lyndon


Did we get anywhere with the below? I would like to solve the problem when possible.


Kind regards



From: Peter and Victoria [mailto:[email address]]
Sent: Thursday, 27 June 2013 9:20 p.m.
To: Claire Nicholls
Subject: RE: Site Certificate message


Hi Claire,

Thank you for the update.  The message I sent you earlier was from our Android tablet.  So I thought I would try on my Android phone, but I am getting a similar message.  This time it says the security certificate has expired.  My husband suggested I try rebooting the phone and clearing the cache, but I am still getting the expired message. 
He has just tried to get a balance on his Android phone and is getting the same message as I got earlier today on the tablet.  I attach some screen shots from his phone which may be of help.

I don't feel happy using the website to pay using my credit card. If you have any other ideas, please let me know.

Victoria Brown

Hi Victoria


I’ve had our teams internally and externally have a look at why you are getting the message. At the moment you’re the only person who has experienced it. Our security certificate was updated approx. two weeks ago and it has been confirmed that it is working correctly. This means that you can ignore the message and continue to top up using a credit card, the site is secure and will work correctly.


The team have noticed that the message recognises your device as a mobile and are looking into why it would be coming up on a mobile device.


One reason that has been mentioned to me a few times is that it could be that your computer security settings. They could be  very high and restrictive and this may be why you are getting the message when the security licence is completely fine.


We are still looking into why it has shown up on your screen, I just wanted to give you an update this afternoon. In the meantime please feel free to ignore the message and continue to use the site.


Kind regards





PO Box 345, Christchurch 8140, New Zealand
Customer Services:
0800 324 636


Claire Nicholls
Operations Administrator

Passenger Services Team
Environment Canterbury

[mobile number]
[email address]








From: Peter and Victoria [mailto:[email address]]
Sent: Thursday, 27 June 2013 9:12 a.m.
To: Claire Nicholls
Subject: Site Certificate message


Hi Claire,

Here's the message I got when I tried to login to top up my son's metro card.  I do not work for an organisation, I'm just a stay-at-home-mom!

Thanks for your help.
Victoria Brown

The site's security certificate is not trusted!
You attempted to reach metrocard.metroinfo.co.nz, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.
You should not proceed, especially if you have never seen this warning before for this site.
Proceed anyway  Back to safety
Help me understand
When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your mobile device trusts. By checking that the address on the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended and not a third party (such as an attacker on your network).

In this case, the certificate has not been verified by a third party that your mobile device trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with metrocard.metroinfo.co.nz instead of an attacker who generated his own certificate claiming to be metrocard.metroinfo.co.nz. You should not proceed past this point.

If, however, you work in an organisation that generates its own certificates and you are trying to connect to an internal website of that organisation using such a certificate, you may be able to solve this problem securely. You can import your organisation's root certificate as a "root certificate", and then certificates issued or verified by your organisation will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organisation's help staff for assistance in adding a new root certificate to your mobile device.