Why Your SSL Certificate Is Untrusted and How to Fix It

In this article the author, who has four years of experience with SSL certificates, outlines the five common reasons why an SSL certificate may be reported as untrusted and provides guidance on how to avoid each issue.

1. Certificate not issued by a recognized Certificate Authority (CA)

Self‑signed certificates are not trusted by browsers because their root certificates are not included in the operating system’s trusted store; therefore a certificate from a recognized CA such as StartCom, Comodo, GeoTrust or GlobalSign should be purchased.

2. Incorrect trust‑chain configuration

Most CAs issue an intermediate certificate rather than signing directly with the root. The proper chain (Root → Intermediate → Your domain) must be installed; otherwise the system cannot verify the issuer.

|---Londry Root CA
|---Londry EV SSL CA G2 (intermediate)
    |---www.yourdomain.com

If the intermediate certificate is omitted, the chain is incomplete and the certificate will be marked as untrusted.

3. Incomplete domain name coverage

If the CSR contains only the apex domain (e.g., londry.cn) and not the www sub‑domain, the issued certificate will not match requests to www.londry.cn, resulting in a trust warning. Request a re‑issue that includes all required hostnames.

4. Expired or revoked certificate

Certificates that have passed their validity period or have been revoked must be renewed or replaced by contacting the provider.

5. Client does not support SNI

Older operating systems such as Windows XP SP2 or Android 4.2 lack Server Name Indication (SNI) support, causing them to reject certificates that rely on SNI. SNI allows multiple SSL sites to share a single IP address and is now supported by virtually all modern browsers and OSes.

Original article by londry: https://londry.cn/2016/04/11/sslnottrusted.html