<!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style><![endif]--><!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]-->


The way the certificate works is to check its validity when the site is loaded

The browser, either on the phone, laptop, tablet, pc or whatever goes out to the internet to a CA (Certificate Authority) to confirm its authenticity

This appears to be failing for these users


Does she have access to a PC to try this on?



We do however need to tighten up the webserver itself, she may have some fancy ssl checker software loaded which is suggesting that she doesn’t continue

See the following report







From: Claire Nicholls
Sent: Monday, 1 July 2013 9:06 a.m.
To: Lyndon Walker
Subject: FW: Site Certificate message


Morning Lyndon


Did we get anywhere with the below? I would like to solve the problem when possible.


Kind regards



From: Peter and Victoria [mailto:[email address]]
Sent: Thursday, 27 June 2013 9:20 p.m.
To: Claire Nicholls
Subject: RE: Site Certificate message


Hi Claire,

Thank you for the update.  The message I sent you earlier was from our Android tablet.  So I thought I would try on my Android phone, but I am getting a similar message.  This time it says the security certificate has expired.  My husband suggested I try rebooting the phone and clearing the cache, but I am still getting the expired message. 
He has just tried to get a balance on his Android phone and is getting the same message as I got earlier today on the tablet.  I attach some screen shots from his phone which may be of help.

I don't feel happy using the website to pay using my credit card. If you have any other ideas, please let me know.

Victoria Brown

Hi Victoria


I’ve had our teams internally and externally have a look at why you are getting the message. At the moment you’re the only person who has experienced it. Our security certificate was updated approx. two weeks ago and it has been confirmed that it is working correctly. This means that you can ignore the message and continue to top up using a credit card, the site is secure and will work correctly.


The team have noticed that the message recognises your device as a mobile and are looking into why it would be coming up on a mobile device.


One reason that has been mentioned to me a few times is that it could be that your computer security settings. They could be  very high and restrictive and this may be why you are getting the message when the security licence is completely fine.


We are still looking into why it has shown up on your screen, I just wanted to give you an update this afternoon. In the meantime please feel free to ignore the message and continue to use the site.


Kind regards





PO Box 345, Christchurch 8140, New Zealand
Customer Services:
0800 324 636


Claire Nicholls
Operations Administrator

Passenger Services Team
Environment Canterbury

[mobile number]
[email address]








From: Peter and Victoria [mailto:[email address]]
Sent: Thursday, 27 June 2013 9:12 a.m.
To: Claire Nicholls
Subject: Site Certificate message


Hi Claire,

Here's the message I got when I tried to login to top up my son's metro card.  I do not work for an organisation, I'm just a stay-at-home-mom!

Thanks for your help.
Victoria Brown

The site's security certificate is not trusted!
You attempted to reach metrocard.metroinfo.co.nz, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.
You should not proceed, especially if you have never seen this warning before for this site.
Proceed anyway  Back to safety
Help me understand
When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your mobile device trusts. By checking that the address on the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended and not a third party (such as an attacker on your network).

In this case, the certificate has not been verified by a third party that your mobile device trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with metrocard.metroinfo.co.nz instead of an attacker who generated his own certificate claiming to be metrocard.metroinfo.co.nz. You should not proceed past this point.

If, however, you work in an organisation that generates its own certificates and you are trying to connect to an internal website of that organisation using such a certificate, you may be able to solve this problem securely. You can import your organisation's root certificate as a "root certificate", and then certificates issued or verified by your organisation will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organisation's help staff for assistance in adding a new root certificate to your mobile device.