ERR_CERT_AUTHORITY_INVALID

What Does ERR_CERT_AUTHORITY_INVALID Mean?

ERR_CERT_AUTHORITY_INVALID is an SSL/TLS error that occurs when your browser cannot verify the certificate authority (CA) that signed the website's SSL certificate. Every SSL certificate is signed by a CA that browsers trust. When the signing CA is not in the browser's trusted root certificate store, the browser blocks the connection and displays this error.

This error is one of the most common SSL certificate problems encountered by both website visitors and administrators. It indicates a break in the chain of trust that SSL/TLS relies on to verify website identities. The certificate may be perfectly valid in terms of its cryptographic properties, but if the issuing authority is not recognized, the browser cannot confirm the website's identity.

In most cases, this error is caused by server misconfiguration rather than a genuine security threat. However, you should never bypass this warning on websites that handle sensitive data, as it could indicate a man-in-the-middle attack where someone is intercepting your connection with a fraudulent certificate.

Common Causes

The most frequent cause is a self-signed certificate being used on a production server. Self-signed certificates are not issued by a trusted CA and are only suitable for development or internal testing environments. When a website uses a self-signed certificate, every visitor's browser will display this error because no trusted authority vouches for the certificate's authenticity.

Missing intermediate certificates are another major cause. SSL certificates form a chain: your certificate is signed by an intermediate CA, which is signed by a root CA. If the server does not send the intermediate certificate(s), the browser cannot trace the chain back to a trusted root, resulting in this error. This is a server-side configuration issue that the website administrator must fix.

Expired root CA certificates in the operating system or browser can also trigger this error. If your system's certificate store is outdated, it may not contain newer CAs. Additionally, corporate environments with SSL inspection proxies often inject their own CA certificate, which must be installed on all client machines to avoid this error.

Step-by-Step Fix

For website visitors: First, check your system's date and time settings, as an incorrect clock can cause certificate validation to fail. Update your operating system and browser to ensure you have the latest trusted root certificates. Clear your browser's SSL cache (in Chrome: Settings > Privacy > Security > Manage certificates). If you're on a corporate network, contact your IT department as they may need to install a proxy CA certificate on your machine.

For website administrators: Verify your SSL certificate chain is complete by using an SSL checker tool. Ensure all intermediate certificates are installed on your server. If you're using a self-signed certificate, replace it with one from a trusted CA like Let's Encrypt (free), DigiCert, or Comodo. For Apache, include the SSLCertificateChainFile directive. For Nginx, concatenate the intermediate certificate with your server certificate in the ssl_certificate file.

If the issue persists, test your configuration with online SSL testing tools to identify exactly where the chain breaks. Make sure your certificate matches your domain name and has not expired. Consider using Let's Encrypt with Certbot for automatic certificate management, which handles chain configuration automatically.

Related SSL Errors