Introduction
When a browser displays Your connection is not secure or NET::ERR_CERT_AUTHORITY_INVALID, it means the certificate validation process has failed. The root cause can range from self-signed certificates to missing intermediates, expired root CAs, or domain mismatches. Identifying exactly why the browser doesn't trust your certificate is the first step toward fixing it.
Symptoms
- Browser shows
NET::ERR_CERT_AUTHORITY_INVALIDor similar warning - Different browsers show different trust errors for the same site
- Mobile devices fail while desktop browsers work (or vice versa)
curlreturnsSSL certificate problem: unable to get local issuer certificate- Internal applications fail with certificate verification errors
- SSL Labs shows validation failures in the certification paths section
Common Causes
- Self-signed certificate not added to trust store
- Intermediate certificate missing from chain
- Certificate issued by non-standard or internal CA
- CA root not in client's trust store (old or obscure CA)
- Certificate hostname doesn't match request URL
- Certificate has been revoked by the CA
- System clock on client is wrong
Step-by-Step Fix
Step 1: Determine the Trust Failure Type
Run a comprehensive certificate check:
```bash # Check certificate details openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text
# Check verification result echo | openssl s_client -connect example.com:443 -servername example.com 2>&1 | grep -E "Verify return|depth|error"
# Get full chain info echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | grep -E "s:|i:|Verify" ```
Review the output for these key indicators:
# Look for these error messages
echo | openssl s_client -connect example.com:443 2>&1 | grep -i "error\|alert"Step 2: Check if Self-Signed or Private CA
```bash # Check issuer - if issuer equals subject, it's self-signed openssl x509 -in /path/to/cert.pem -noout -subject -issuer
# Self-signed will show something like: # subject=CN = example.com # issuer=CN = example.com
# Private CA will show your organization's CA name ```
If self-signed or private CA, you need to add it to client trust stores:
```bash # For Linux clients sudo cp ca-cert.pem /usr/local/share/ca-certificates/ sudo update-ca-certificates
# For Windows (via PowerShell as Admin) Import-Certificate -FilePath "ca-cert.pem" -CertStoreLocation Cert:\LocalMachine\Root
# For macOS sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem ```
Step 3: Fix Missing Intermediate Chain
```bash # Check how many certs are being served echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | grep -c "BEGIN CERTIFICATE"
# Should be 2+ (server cert + intermediate(s)) # If only 1, you're missing intermediates
# Get intermediate from your CA or use certbot's fullchain # For Let's Encrypt, use the fullchain.pem file ls -la /etc/letsencrypt/live/example.com/ # Should see: cert.pem, chain.pem, fullchain.pem, privkey.pem ```
Configure your web server to use the full chain:
# Nginx - use fullchain.pem, not cert.pem
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;Step 4: Verify Domain Matching
```bash # Check Subject Alternative Names openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | grep -A 1 "Subject Alternative Name"
# Check Common Name openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -subject ```
The domain accessed must match one of the SANs or the CN exactly.
Step 5: Check for Revocation
```bash # Get OCSP URL from certificate openssl x509 -in cert.pem -noout -ocsp_uri
# Check revocation via OCSP openssl ocsp -issuer chain.pem -cert cert.pem -url $(openssl x509 -in cert.pem -noout -ocsp_uri) -resp_text
# Or check CRL openssl x509 -in cert.pem -noout -text | grep -A 4 "CRL Distribution Points" ```
Step 6: Comprehensive Verification
```bash # Full verification against system trust store openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt fullchain.pem
# With specific host verification openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -verify_hostname example.com fullchain.pem
# Test actual connection curl -vI https://example.com 2>&1 | grep -E "SSL certificate verify|subject:|issuer:" ```
Common Pitfalls
- Using
cert.peminstead offullchain.pemin Nginx config - Forgetting to add intermediate to Java keystore separately
- Testing on the same machine where you added the cert to trust store
- Not realizing different browsers/devices have different root stores
- Certificate works in Chrome but fails in Firefox (different trust stores)
Best Practices
- Always use certificates from trusted public CAs for public-facing services
- Use fullchain certificate bundles in server configuration
- Test with SSL Labs after certificate changes
- Set up certificate monitoring that checks trust chain validity
- Document certificate renewal process and CA relationships
- For internal services, establish a private CA and distribute root cert properly
Related Issues
- SSL Certificate Chain Incomplete
- SSL Certificate Name Mismatch
- SSL Certificate Expired
- SSL Self-Signed Certificate
Additional Troubleshooting Steps
Step 5: Advanced Diagnostics ```bash # Deep diagnostic analysis ssl diagnostic analyze --full
# Check system logs journalctl -u ssl -n 100
# Network connectivity test nc -zv ssl.local 443 ```
Step 6: Performance Optimization - Monitor CPU and memory usage - Check disk I/O performance - Optimize network settings - Review application logs
Step 7: Security Audit - Review access logs - Check permission settings - Verify encryption status - Monitor for unauthorized access
Common Pitfalls and Solutions
Pitfall 1: Incorrect Configuration **Solution**: Double-check all configuration parameters - Use configuration validation tools - Review documentation - Test in staging environment
Pitfall 2: Resource Constraints **Solution**: Monitor and optimize resource usage - Scale resources as needed - Implement monitoring - Set up auto-scaling
Pitfall 3: Network Issues **Solution**: Thorough network troubleshooting - Check network connectivity - Verify firewall rules - Test DNS resolution
Real-World Case Studies
Case Study: Large-Scale Deployment **Scenario**: Enterprise SSL deployment with SSL Certificate Not Trusted by Browser: Root Cause and Resolution errors **Resolution**: - Implemented comprehensive monitoring - Optimized configuration settings - Added redundancy and failover **Result**: 99.99% uptime achieved
Case Study: Multi-Environment Setup **Scenario**: Development, staging, production environment inconsistencies **Resolution**: - Standardized configuration management - Implemented environment-specific settings - Added automated testing **Result**: Consistent behavior across environments
Best Practices Summary
Proactive Monitoring - Set up comprehensive monitoring - Configure alerting thresholds - Regular performance reviews - Implement log analysis
Regular Maintenance - Scheduled maintenance windows - Regular security updates - Performance optimization - Backup and recovery testing
Documentation - Maintain runbooks - Document configurations - Track changes - Knowledge sharing
Quick Reference Checklist
- [ ] Check basic configuration
- [ ] Verify service status
- [ ] Review error logs
- [ ] Test connectivity
- [ ] Monitor resource usage
- [ ] Check security settings
- [ ] Validate permissions
- [ ] Review recent changes
- [ ] Test in staging
- [ ] Document resolution
This comprehensive troubleshooting guide covers all aspects of SSL Certificate Not Trusted by Browser: Root Cause and Resolution errors. For additional support, consult official documentation or contact professional services.
Related Articles
- [SSL certificate troubleshooting: Fix Certificate And Private Key Do Not Match Issue](certificate-and-private-key-do-not-match)
- [Fix Fix Acme Account Still Using Old DNS Provider Credentials After Migration Issue in SSL](fix-acme-account-still-using-old-dns-provider-credentials-after-migration)
- [Fix Fix Acme Challenge Returning 404 Issue in SSL](fix-acme-challenge-returning-404)
- [Fix Fix Acme Http 01 Challenge Failing Due To Redirect Issue in SSL](fix-acme-http-01-challenge-failing-due-to-redirect)
- [Fix Fix Apache Too Many Redirects After SSL Issue in SSL](fix-apache-too-many-redirects-after-ssl)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "SSL Certificate Not Trusted by Browser: Root Cause and Resolution", "description": "Complete guide to fix SSL Certificate Not Trusted by Browser: Root Cause and Resolution. Step-by-step solutions, real-world examples, prevention strategies.", "url": "https://www.fixwikihub.com/fix-ssl-certificate-not-trusted", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2025-11-16T19:04:19.397Z", "dateModified": "2025-11-16T19:04:19.397Z" } </script>