SSL Error: Invalid Certificate Authority

Diagnose and resolve the NET::ERR_CERT_AUTHORITY_INVALID error.

The NET::ERR_CERT_AUTHORITY_INVALID error indicates that the browser doesn't trust the authority that issued the SSL certificate. Every SSL certificate is signed by a Certificate Authority (CA) that guarantees the domain owner's identity. If this CA isn't recognized by the browser, the entire chain of trust is broken.

This error is often more complex to resolve than other SSL errors because it involves the certificate chain. A valid SSL certificate isn't enough: all intermediate certificates up to the root must also be correctly installed and recognized by browsers.

In this guide, we'll explore common causes of this error and give you tools to diagnose and fix it. Whether your certificate is self-signed, the chain is incomplete, or the CA is obsolete, you'll find the right solution.

Error Manifestations

How this error appears in different browsers:

  • Chrome: displays NET::ERR_CERT_AUTHORITY_INVALID with "This server couldn't prove that it is [domain]; its security certificate is not trusted".
  • Firefox: displays SEC_ERROR_UNKNOWN_ISSUER indicating the certificate issuer isn't recognized.
  • Safari: displays "Safari can't verify the identity of the website" with details about the untrusted certificate.
  • Mobile devices: mobile apps may crash or display secure connection errors without technical details.

Causes of Authority Error

Several situations can trigger this error:

  • Self-signed certificate: the certificate was generated locally without being signed by a recognized CA. Common in development but unacceptable in production.
  • Incomplete certificate chain: intermediate certificates aren't installed on the server. The browser can't trace back to the root CA.
  • Unrecognized or obsolete CA: the certificate authority isn't in the browser's trust list or has been revoked.
  • Proxy interception: a corporate proxy or antivirus is inspecting HTTPS traffic and presenting its own unrecognized certificate.

Error Diagnosis

Follow these steps to identify the cause:

  1. Examine the certificate: click the certificate icon to see who issued it. A self-signed certificate will have the same name for "Issued by" and "Issued to".
  2. Check the chain: use SSL Labs to analyze the complete chain. It will flag if intermediate certificates are missing.
  3. Test outside corporate network: if the error only appears on the corporate network, an SSL proxy is probably intercepting traffic.
  4. Check antivirus: some antivirus (Avast, Kaspersky) inspect HTTPS traffic and can cause this error.

Certificate Chain Verification

Use this command to see the complete chain:

#!/bin/bash
# Display complete certificate chain

DOMAIN="example.com"

echo "=== Certificate chain for $DOMAIN ==="

openssl s_client -connect $DOMAIN:443 -servername $DOMAIN -showcerts </dev/null 2>/dev/null | awk '
/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/ {
    if (/-----BEGIN/) { cert++ }
    print > "cert" cert ".pem"
}
END { print "Number of certificates in chain: " cert }'

# Display info for each certificate
for cert in cert*.pem; do
    echo ""
    echo "=== $cert ==="
    openssl x509 -in $cert -noout -subject -issuer
    rm $cert
done

This command displays all certificates in the chain with their issuers. A complete chain should have 2-3 certificates: yours, the intermediate, and optionally the root.

Best Practices

Avoid this error with these recommendations:

  • Install the complete chain: when installing a certificate, always include the intermediate certificates provided by your CA.
  • Use recognized CAs: choose universally recognized authorities like Let's Encrypt, DigiCert, or Sectigo.
  • Test after installation: use SSL Labs after any certificate change to verify the chain is complete.
  • Avoid self-signed: never use self-signed certificates in production. Let's Encrypt is free and automatable.

Authority Diagnostic Checklist

  • Certificate type identified (self-signed or CA)
  • Certificate chain analyzed with SSL Labs
  • Test performed outside corporate network
  • Antivirus/proxy checked
  • Intermediate certificates installed
  • CA recognized by modern browsers

Frequently Asked Questions

Can I use a self-signed certificate in production?

No, self-signed certificates aren't recognized by browsers and will cause errors for all visitors. Use Let's Encrypt which is free.

How do I get intermediate certificates?

Your certificate authority provides them when issuing the certificate. For Let's Encrypt, Certbot installs them automatically.

The error only appears at the office, is it the proxy?

Very likely. Corporate proxies often inspect HTTPS traffic using their own certificate. Contact your IT team.

Can my antivirus cause this error?

Yes, some antivirus inspect HTTPS traffic. Temporarily disable SSL inspection in your antivirus settings to test.

What if my CA is no longer recognized?

Replace your certificate with a new one issued by a recognized CA. For example, Symantec is no longer recognized by Chrome.

How can MoniTao help?

MoniTao checks not only certificate validity but also the complete chain. You're alerted if a problem is detected.

Establish a Complete Chain of Trust

The invalid certificate authority error often requires correctly rebuilding the certificate chain. Make sure to use a recognized CA and install all intermediate certificates.

MoniTao monitors the validity of your certificate and its chain. Configure a monitor to be alerted immediately if a problem occurs.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing