How to Tackle SSL Certificate Is Not Trusted Error

The Perfect Troubleshooting Resources to Tackle the Most Common SSL Error "Certificate is Not Trusted".

You’ve gone through all the trouble of researching what SSL certificate to purchase, you’ve been validated, gotten it issued, and even installed it on your server. But, now, you’re receiving an error message, “Your SSL Certificate is not trusted.”

The browsers all say this in different ways — some are extremely explicit, others are pretty cursory, but the effect is always the same: this certificate can’t be trusted.

So, what do you do? You throw your monitor out of your office window is what you do. Carl is always in favor of taking your frustration out on computer equipment. I once punted a router into the ceiling panels. That was actually how we discovered the asbestos at my last job. They weren’t as thankful for that discovery as they probably should have been.

Anyway, let’s talk about why your SSL certificate is receiving these “Not Trusted” error messages and try to help you solve the problem.

Why Does it Say SSL Certificate Is not Trusted?

It all starts with the browsers’ root stores. Most browsers maintain their own root stores, the ones that don’t typically use Google or Mozilla’s. A root store, sometimes referred to as a trust store, is a collection of pre-downloaded root certificates from trusted certificate authorities. If a browser reaches a website that features a certificate that was not issued by one of these trusted CAs, it will give the user an error message about not being able to trust the certificate.

There are a few reasons this might happen.

You Might Be Getting an Error Because You Have a Self-Signed Certificate

Self-signed certificates are fine for testing environments and internal networks. However, they are not a good idea for any public-facing IP. And, that goes back to the root stores. As I mentioned, browsers have a set of pre-downloaded root certificates from trusted CAs. The problem a self-signed certificate has is that it doesn’t chain back to a trusted root certificate from a trusted CA.

If you self-signed your SSL certificate on purpose, go directly to jail. Do not pass go. You do not get to collect $200. Just kidding. But, you will need to go through a trusted CA to get a new SSL certificate and install it on your network.

Alternatively, you could also add the certificate to your root store. There are directions for how to do this on the various browsers. Just be warned, the certificate will now be trusted on your browser, but anyone that hasn’t added the certificate to their own root store will still receive the error message. Again, I only recommend doing this for internal networks and testing.

If you bought a certificate from a trusted CA and you’re still getting this message, then you may need to go back through the installation instructions and make sure you didn’t miss any steps. This is actually a fairly easy mistake to make. That’s one of the reasons I have our CED team install all of my SSL certificates. That way, if anything goes wrong, I have someone to yell at. Fortunately, nothing has gone wrong, but if it does I’m putting a tack on Justin’s chair.

If all else fails, you may need to regenerate your Certificate Signing Request (CSR) and re-issue your certificate. This is the nuclear option. Before you do this, you might want to call us and see if we can help first.

You Might Be Getting an Error Because of Intermediate Certificate Issues

Another possibility is that you’re receiving this error because of an issue with the installation of your intermediate certificates. This is a common mistake, too. First, let me explain why this is important.

Remember our root store? Browsers are able to tell if a certificate is trusted by chaining it back to one of the trusted roots in its store. It does this with use of intermediate certificates. When you receive your SSL certificate from your CA, it oftentimes comes with an intermediate certificate bundle. This is just as important to install as the SSL certificate itself because this is what establishes the chain of trust.

If the browser can’t establish the chain of trust and link your SSL certificate to one of the roots it trusts, then it’s going to issue a warning about not being able to trust the certificate.

Again, if you’re receiving this error, first make sure you’ve installed your intermediate certificate, then go back through the instructions and make sure you did everything correctly.