This article discusses the Secure Sockets Layer (SSL) security certificates and errors.
The following certificate types are available:
Self-signed certificates: Companies with private domains commonly use self-signed certificates to cut
the cost of securing through a certificate authority (CA). These certificates still create a secure connection,
but browsers do not recognize them as a supported CA. The browser asks you to confirm the
self-signed certificate and adds it to the database of known CAs for future reference.
Intermediate certificates: These certificates guarantee greater trust of a domain. The CA conducts
a more in-depth background check of the organization's domain. Intermediate certificates also provide layers
of encryption that further secure the root certificate.
Browsers have a built-in list of trusted certificate providers for the major CAs. For some sites, the
certificate provider is not on that list. In this case, the browser warns you that the CA who issued
the certificate is not trusted. This issue also occurs if the site has a self-signed certificate. While
this warning is fairly generic for Microsoft® Internet Explorer®, Firefox® distinguishes between
a certificate issued by the server itself (a self-signed certificate) and another type of untrusted certificate.
Browsers display this message differently, as shown in the following examples for Internet Explorer
Internet Explorer message:
The security certificate presented by this website was not issued by a trusted certificate authority.
invalid security certificate - The certificate is not trusted because the issuer certificate is unknown.
invalid security certificate - The certificate is not trusted because it is self signed.
Web browsers have a database of the keys from known CAs. SSL certificates purchased from the CAs that have a key in
the database return with no error. They also show a symbol of a secured lock at the
beginning of the URL address bar.
An SSL certificate can fail due to a bad key match to the CA in the browser's database, which results
in an insecure connection.
Updated 24 days ago