Skip to main content
banner image
venafi logo

The Most Common Certificate Validation Errors and How to Stop Them

The Most Common Certificate Validation Errors and How to Stop Them

September 7, 2021 | Anastasios Arampatzis

Websites and their visitors rely on trust to share information and complete certain transactions. The main way websites establish trust is through issuing SSL/TLS certificates, which validate the authenticity and trustworthiness of a certain website against a trusted Certificate Authority (CA). However, occasionally, errors will appear due to faulty certificate validation. The short story is, if your browser doesn’t trust the certificate because of a validation error, your website visitors will probably not trust your company.

For that reason, it is important to know the most common certificate validation errors and how to remediate them.

PKI: Are You Doing It Wrong? Read the eBook.
The most common certificate validation errors

Here are a few of the certificate validation errors that you’ll want to watch out for.

  • SSL/TLS certificate not trusted

    A browser will return an error if it is unable to verify that the end-user’s certificate has been signed by the root. Root certificates are issued by trusted CAs, and embedded into the browsers’ trust stores, they act as a trust anchor to validate all certificates within that browser.

    For security purposes, CAs will often sign intermediary certificates which then sign the end-user’s certificate. If the web administrator has not correctly installed intermediate certificates on their server, the browser will be unable to validate the SSL/TLS certificate.

    Another common reason for a certificate validation error is that the user has issued a self-signed certificate using their own software. Since this is not signed by the root, it is flagged as untrusted. Self-signed certificates should only be used in internal environments, and not on a public site.

  • Sites still deploying HTTP

    Any site still using HTTP is not using an SSL/TLS certificate and will be marked as untrusted. You can tell which sites have a legitimate SSL/TLS certificate because of the prefix HTTPS in the URL. If the site is using only HTTP, the notification in the search bar will read “Not Secure.” As you can imagine, this is not good for online business.

    A similar problem occurs when pages or sites host mixed content. Mixed content errors occur when some elements on the page are still using HTTP, instead of HTTPS. The server will be unable to validate the site in full, and thus flag it as untrusted.

  • Name mismatch errors

    A discrepancy between the domain name in the search bar and the one on the issued SSL/TLS certificate could prevent the certificate from being validated. For example, the name on the certificate may not match if the site was pulled up by IP address, or if the certificate was issued to, but only was typed in. This is becoming less common as CAs will commonly issue one certificate validating both. Multiple sites on the same IP could also return mismatch errors, as the server may pull the wrong certificate when queried.

  • CA error

    Although the issuance of certificates is governed by well-established rules by the Certificate Authority/Browser (CA/B) Forum, CAs are making mistakes and have mis-issued certificates—to localhost for example. Besides failing to validate such a certificate, improperly issued certificates can lead to man-in-the-middle attacks.

  • Expired or revoked certificate

    Certificate lifespans are shortening due to safety reasons, and the current validity period is only one year. When a certificate expires, it is effectively useless, and will return an error message to the user. On the other hand, revoked certificates can occur for several reasons –either the key was compromised, issued incorrectly, or the certificate was issued with incorrect credentials, either on purpose or by accident.
How to fix the most common certificate validation errors
  • Properly install SSL/TLS certificates

    This may go without saying, but the first step to avoiding “not secure” error messages is to install an SSL/TLS certificate from a trusted CA. When an operating system or web browser is shipped, it will contain a trust store, or list of trusted CAs, which will be used to validate all certificates encountered.

    To avoid a mixed content error, make sure all elements on your page are HTTPS secured as well, checking the source code and making adjustments where necessary. If you find you are still receiving error codes, you might have installed it incorrectly and you can always issue a new Certificate Signing Request from your server.

  • Prevent name mismatch errors

    To avoid name mismatch errors, carefully follow the guidelines of correctly submitting a CSR. This will include specifics on how to register your company name, address and domain. Another possible way to get around name mismatch errors is to install a wildcard certificate, as you can secure multiple domains with just one certificate, but due to the risky nature of wildcard certificates, you should be very cautious exercising this option.

  • Protect against CA error

    Being agile is the best way to counter CA errors or a compromised CA. Don’t put all your eggs in a single basket. Instead, be ready to switch CAs in case things don’t go as expected. Maintaining CA agility will ensure you have limited downtime, and you will avoid costly outages which may damage the trust your visitors place in your company.

  • Secure your chain of trust

    Since many errors occur because the device is unable to validate the certificate back to a trusted root, it is important to install intermediate certificates. In the event the device does not find a match, it navigates up what is known as the certificate chain of trust by checking any and all intermediate certificates.

    A great starting point for securing your chain of trust is by gaining visibility over all certificates within your environment. With certificate lifespans shortening and the number of connected machines continuing to rise, being able to identify and renew certificates before their expiration date is key to preventing breaches and securing your domains.
Automated certificate management

With over 85% of sites employing HTTPS, safety has become the standard and the expectation of customers. Products like Venafi Trust Protection Platform ensure daily installation of both certificate and chain, enforce trust stores and allow you to install, manage and provision CA chains automatically. With so many possible errors that could occur in the certificate validation process, it is important to establish an automated, agile and secure process for ensuring your sites’ validity.

Like this blog? We think you will love this.
Featured Blog

What Is a Private Key?

How Are Private Keys Used?<

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more