Shulou(Shulou.com)05/31 Report--

This article is to share with you about the reasons why the SSL certificate is not trusted, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Many website managers will encounter this confusion: why do browsers still issue alerts when customers visit their websites when their websites have already installed SSL certificates? There are five main reasons.

1. The certificate is not issued by a trusted CA authority

Friends who have knowledge of certificates should understand that SSL certificates can be divided into self-signed certificates and paid certificates. Self-signed certificates can issue digital certificates to themselves and HTTPS websites as well. However, this kind of certificate has a low cost and is not trusted by browsers, so when customers visit, the system will issue an alarm of mistrust.

Therefore, in order to ensure the security of websites and the access experience of users, it is very important that websites, especially corporate websites, purchase digital certificates issued by trusted government authorities. At present, the world's more well-known CA issuing institutions are mainly Symantec, CFCA, Geotrust, Globalsign and so on.

two。 Digital certificate trust chain configuration error

Our commonly used SSL certificates are rarely root certificates issued by CA institutions, and most of them are secondary certificates. If we do not configure intermediate CA, the operating system will not be able to determine who is the real issuer of SSL certificates. At this point, there is an intermediate certificate between our certificate and the trusted root certificate, which is called Intermediate Certificate Authority CA.

If we only install the final domain name certificate and do not install an intermediate certificate so that the certificate chain is incomplete, the system will not be able to trace back to the issuing authority of the root certificate and will be judged by the system to be untrusted. In order to solve this problem, we need to install the SSL certificate on the server side, and also make our certificate chain complete before it can be used properly.

3. Certificate and domain name do not match

In most cases, our certification authorities will make a complete match for our domain names, but sometimes some certification authorities may neglect it. When we apply for a digital certificate for our domain name, only this primary domain name is defined in our CSR, and no more domain name DNS records are added. Then when your certificate is issued, accessing the domain name will not be trusted and will prompt you that the certificate does not belong to this domain name. At this point, you need to contact the certification authority or certificate provider to reissue and include the domain name.

4. The certificate has passed its validity period.

SSL certificates are valid for a period of time. If the certificate has expired, the system will also issue an alarm when the user visits the website. You can click in the Internet option of the browser to view the validity period of the certificate. If the validity period has expired, you need to contact the domain name service provider and renew it in time to ensure the normal operation and access of the website.

5. Client does not support SNI protocol

This will only happen in lower versions of the operating system that the customer uses, such as Windows XP SP2 and Android4.2. SNI protocol is a technology that allows multiple domain names that support SSL certificates to share the same independent IP address, which is now supported by almost all major operating systems and browsers. Many years ago, SSL certificates needed to be bound to stand-alone IP addresses, and SNI technology came into being because the IPv4 address pool was gradually underallocated.

These are the reasons why SSL certificates are not trusted. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.