Websites use SSL certificates to encrypt website data and improve website security. Therefore, most webmasters configure and deploy SSL certificates for their websites. In the process of using the SSL certificate, the SSL certificate is not trusted, which often confuses the webmaster. Here are 5 common reasons why your SSL certificate is not trusted.
1. Insufficient matching of certificate domain names
Most of the time our certificate authorities will do a full match for our domain name, but sometimes some certificate authorities may be negligent.
2. The source of the certificate is not a recognized certificate authority
As we all know, an SSL certificate is only valid if it is a digital certificate issued by a formal institution. If it is a self-sufficient digital certificate, such as SSL certificate, mail certificate, client certificate, code certificate, etc., it does not cost a penny but will not be affected by customers. OS trust on the side. Such a situation will result in "SSL certificate not trusted". Therefore, before you buy an SSL certificate, you should know whether the SSL certificate provided by the service provider is issued by a recognized official organization. The CA certificate of a recognized certificate authority is built into our operating system or browser by default, that is, the certificate trusted by the client operating system by default. Common recognized digital certificate authorities are Startcom, Comodo, Geotrust, Globalsign, etc.
3. The client does not support the SNI protocol
When the operating system used by the user is below Windows XP SP2 and below Android 4.2. because these operating systems are too early, the system manufacturer does not provide the SNI protocol, so it cannot be used.
The SNI protocol is a technology that allows multiple domain names that support SSL certificates to share a single IP address. Most major operating systems and browsers now support it. A long time ago, the SSL certificate needed to be bound to an independent IP protocol, but the IPv4 address pool gradually appeared insufficient allocation, so the SNI technology was born.
4. The certificate used is invalid
After the certificate expires, it may be revoked if it is not renewed in time. Therefore, after renting an SSL certificate, you should go to the IDC provider to renew the fee in time.
5. The trust chain configuration of the digital certificate fails
For security and other reasons, most digital certificates are not issued by the issuing authority directly using the root certificate to directly issue the client certificate. If there is a client certificate that is directly used by the issuing authority using the root certificate, the price of this kind of certificate will be very high. .
There is an intermediate certificate directly between the certificate and the trusted root certificate, which is called an intermediate certificate authority CA. When the built-in operating system only restricts the use of the root certificate authority, but the user follows the domain name certificate, the certificate chain will be confirmed and marked as untrusted. To avoid this situation, you need to ensure the integrity of the certificate chain when configuring and deploying the SSL certificate.