SSL Untrusted Root Certificate
Description
The SSL/TLS certificate presented by the server is not signed by a trusted Certificate Authority (CA) in the standard root certificate store. This occurs when the certificate chain cannot be validated back to a recognized root CA, indicating the certificate may be self-signed, issued by an unknown authority, or has an incomplete certificate chain.
Remediation
To resolve this issue, obtain and install a valid SSL/TLS certificate from a trusted Certificate Authority:
- Obtain a Certificate from a Trusted CA: Purchase or obtain a certificate from a recognized Certificate Authority (e.g., DigiCert, Let's Encrypt, Sectigo, GlobalSign). For free certificates, consider Let's Encrypt with automated renewal.
- Install the Complete Certificate Chain: Ensure you install not only the server certificate but also all intermediate certificates. The chain should link your certificate to a trusted root CA.
- Configure Your Web Server: Install the certificate and private key on your web server. Verify that the certificate chain is properly configured.
- Verify the Installation: Use online SSL testing tools (such as SSL Labs' SSL Server Test) to confirm the certificate is trusted and properly configured.
- Remove Self-Signed or Untrusted Certificates: Replace any self-signed certificates or certificates from private/internal CAs with publicly trusted certificates for internet-facing services.
If you must use a private CA for internal services, ensure all client systems have the private CA's root certificate installed in their trusted certificate store.