If the SSL certificate is invalid, users may encounter security warnings when accessing the website. There are many reasons for the SSL certificate invalidity. The solution is different for different reasons. Let's talk about the common situations of invalid SSL certificates.
SSL certificates are used with an expiration date and are considered invalid once they expire. The certificate needs to be renewed and the certificate authority reapplies. It is also possible that the certificate chain is incomplete, and the certificate chain should be a chain of root certificates, intermediate certificates, and server certificates. When the intermediate certificate in the chain is missing or incorrectly configured, the browser has no way to verify the validity of the certificate.
If the certificate chain is incomplete, install the complete certificate chain and check the configuration. Ensure that a complete certificate chain is installed on the server, including all intermediate certificates. You can obtain the certificate chain information from the certificate authority. The integrity of the certificate chain can be checked with the SSL Test of the tool SSL Labs.
The certificate's domain name must match the access domain name. If the certificate www.example.com and you access example.com, an invalid certificate error occurs. Check the domain name of the certificate. Ensure that the domain name in the certificate matches the actual domain name. For example, the subdomain name must also be included in the certificate. If the domain name does not match, you need to apply for a new certificate with the correct domain name.
If the certificate is not trusted, the SSL certificate may become invalid. This may be because the certificate was issued by an untrusted CA, or the root certificate is not trusted by the browser or operating system. Make sure the certificate is issued by a trusted certificate authority, common trusted CA's include Let's Encrypt, DigiCert, GlobalSign, etc.
If you are using a self-signed or untrusted CA certificate, you need to add the root certificate to the trusted certificate store.
When the certificate is revoked by the issuing authority, security problems or certificate information changes may cause the SSL certificate to become invalid. Use a CRL or OCSP to check the certificate revocation status. If the certificate has been revoked, you need to apply for a new certificate. Apply for a new certificate and be sure to start using it before revoking it.
If the SSL certificate is incorrectly configured, for example, the private key does not match the certificate or the certificate file format is incorrect. Use the OpenSSL tool to check whether the private key and certificate match:
openssl x509 -noout -modulus -in your_certificate.crt | openssl md5
openssl rsa -noout -modulus -in your_private_key.key | openssl md5
Check whether the SSL certificate configuration in the configuration file is correct.
Problems with the browser or operating system cache may also cause SSL certificate errors. Sometimes the browser or operating system may cache old certificate information, resulting in invalid certificate errors. This can be done from trying to clear the browser cache and SSL status, or restarting the operating system. Ensure that the system and browser are updated to the latest version, and obtain the latest certificate root and intermediate certificates.
If the intermediate certificate is incorrectly configured, the SSL certificate authentication fails. Ensure that the required intermediate certificates are installed on the server and that the correct certificate chain file is obtained from the certificate authority.
If the SSL certificate is still invalid, contact the issuing authority or technical support for more help.