SSL Certificate Errors

What happens when warnings like ‘Your Connection is not Private,’ ‘The Site’s Security Certificate is Not Trusted,’ etc., appear on your website?  Data suggests that 85% of online shoppers avoid websites marked as ‘Not Secure’ by Google. These SSL certificate errors warnings lead to high customer attrition, financial losses, and reputational damage when they keep recurring and need to be fixed proactively. 

What are the common types of SSL errors, and how can they be fixed? Read on to find out. 

SSL Certificate Errors: An Overview

When the web browser connects to a website, the server will first send a list of SSL certificates to prove its identity. After performing various SSL checks, the web browser will establish a secure connection with the server. 

An SSL certificate error occurs when the web browser cannot verify the SSL certificate installed on the website. In this case, the browser will block the website and show a warning to the user. For instance – ‘Warning: Potential Security Risk Ahead,’ ‘The Connection is Not Secure,’ etc. 

Common Types of SSL Certificate Errors and The Fixes 

Expired Certificate 

One of the most common SSL certificate errors occurs if the certificate’s validity has expired. Currently, the validity is 398 days (1 year and 1 month for transition in case of renewal), and certificates cannot be issued for longer than this stipulated period. When the intermediate and leaf certificates presented to the browser are not within the stipulated validity period, the browser will block the website and show an error message. 

When you did not have a proper Certificate Management System (CMS) that provides visibility into the certificate lifecycle, you may have forgotten/ missed to renew certificates on time. 

Fix: 

  • Update all your immediate and leaf certificates immediately with new valid SSL certs. 
  • Leverage online centrally managed CMS to keep track of certificates and renew them before expiry.

SSL Certificate Not Trusted 

Trusted SSL root certificates are issued by regulated and trustworthy Certificate Authorities (CAs). CAs don’t sign the end-entity certificate from the root to add extra layers of protection. They will sign and deploy an intermediary certificate used to sign leaf certificates, creating a chain of trust. 

Web browsers have built-in functionality to recognize trusted root SSL certificates. Upon receiving the certificates from the server, the browser will keep chaining the SSL until the trusted root certificate is reached to establish the chain of trust. 

This SSL connection error occurs when the certificate is not approved/ signed by a trusted CA listed in the browser’s built-in list or the certificate is self-signed by the server. SSL certificate not trusted error also occurs when the SSL chain of trust is invalid or incomplete. 

Fix: 

  • Deploy SSL only from reputed and trustworthy CAs instead of self-signed ones or unknown CAs. Self-signed certificates may be useful for the development environment, not the production environment. 
  • Install and deploy intermediate and the server leaf (end-user) certificates in your server. 
  • Ensure that the webserver is configured to return all intermediate and leaf certificates.

Mixed Content Error

This SSL connection error occurs when a secure HTTPS page contains elements loaded from an insecure HTTP page). For instance, an insecure file, image, iframe, flash animation, etc. The browser will display a warning when there is such mixed content. 

Fix: 

  • Update every file, link, canonical tags, images, references, plugins, add-ons, webmaster tools, etc., to their HTTPS version.
  • Ensure all files and elements on your pages are hosted from secure links. 

Name Mismatch Error 

To establish a secure connection with the server, the domain name in the SSL certificate must match the domain name in the browser URL. When they don’t, the name mismatch SSL certificate error occurs. Even if the certificate is issued for www.example[.]com and the user types example.com, there will be a name mismatch error. This error may occur when multiple domains and subdomains use the same hosting environment and IP addresses, and the server sends the certificate for the wrong domain. 

Fix: 

  • Ensure that the certificate supports both www and without www versions of the domain name. 
  • If you secure multiple domains and subdomains with shared hosting and IP addresses, consider buying a SAN/ multi-domain SSL. 

Revoked SSL Certificate Error 

This error occurs when the CA has revoked/ canceled your SSL certificate, which is present in the Certificate Revocation List. The reasons certificates are typically revoked/canceled are:  

  • Certificate compromised before the expiry 
  • Compromised keys 
  • Certificate acquired with false credentials 
  • Wrong keys issued

Fix: 

  • Immediately replace the revoked certificate with a valid one and investigate the reason for revocation. 
  • Continuously monitor the revocation status of your certs using monitoring tools. 

The Bottomline 

SSL certificate errors are damaging for online businesses. Fix these errors instantly to ensure robust security, integrity, and data privacy in transit. To prevent them, continuously monitor them and provide visibility into the certificate lifecycle using a Certificate Management Console (CMS) like Entrust from Indusface.

Leave a Reply