ERR_CERT_AUTHORITY_INVALID - Trust and Chain Issues

Certificate authority errors indicate the browser cannot establish a trust path from your certificate to a known root certificate authority. These errors appear as "NET::ERR_CERT_AUTHORITY_INVALID" in Chrome or "SEC_ERROR_UNKNOWN_ISSUER" in Firefox. This problem often stems from incomplete certificate chains where intermediate certificates are missing, preventing browsers from verifying your certificate's authenticity even when the certificate itself is perfectly valid.

Certificate chains create trust by linking your server certificate through one or more intermediate certificates to a root certificate pre-installed in browsers. Certificate authorities rarely sign server certificates directly with their root certificates, instead using intermediates for operational flexibility. Your server must present the complete chain—your certificate plus all intermediates—for browsers to validate trust. Missing intermediates break this chain, causing trust errors despite valid certificates.

Fixing chain issues requires obtaining and installing the correct intermediate certificates. Your certificate authority provides these intermediates, often bundled with your server certificate or available from their support site. Concatenate certificates in the correct order: your server certificate first, followed by intermediates from most specific to most general (but not including the root). Configure your web server to serve this complete chain. Apache uses the SSLCertificateChainFile directive, while Nginx expects intermediates concatenated with the server certificate in a single file.

Validate certificate chains using online tools like SSL Labs' SSL Test or Qualys SSL Checker. These tools analyze your certificate chain from external perspectives, identifying missing or misordered certificates. Command-line tools like OpenSSL's s_client can also verify chains: openssl s_client -connect example.com:443 -showcerts. Review the output for complete chains and any verification errors. Regular chain validation, especially after certificate updates, prevents trust issues from reaching production.