Certificate Authority Trust Errors

Trust errors indicate browsers cannot verify the certificate's authenticity, displaying messages like "NET::ERR_CERT_AUTHORITY_INVALID" (Chrome) or "SEC_ERROR_UNKNOWN_ISSUER" (Firefox). These errors suggest the browser doesn't trust the Certificate Authority that issued the certificate, often due to missing intermediate certificates that create the trust chain from your certificate to a trusted root CA.

Self-signed certificates always trigger trust errors because no recognized CA vouches for their authenticity. While acceptable for development environments, self-signed certificates should never be used in production. Less common causes include certificates from CAs not included in browser trust stores, compromised CAs removed from trust stores, or clock synchronization issues affecting certificate validation.

Troubleshooting trust errors requires analyzing the complete certificate chain. Use tools like openssl s_client -connect yourdomain.com:443 -showcerts to display all certificates in the chain. Online SSL checkers identify missing intermediate certificates. Compare your chain against the CA's documentation to ensure completeness. Browsers might work intermittently if they cached intermediates from other sites, masking the problem.

Resolution typically involves installing missing intermediate certificates. Download intermediates from your CA and configure your server to present the complete chain. Apache uses SSLCertificateChainFile or includes intermediates in SSLCertificateFile. Nginx requires concatenating certificates in the correct order. Test thoroughly after changes, as incorrect chain order causes validation failures. For self-signed certificates in development, properly configure test environments rather than bypassing warnings.