How To Install Intermediate Certificates To Avoid SSL/TLS Not Trusted

Are you seeing "SSL/TLS Not Trusted"? Here's a workaround.

Broken SSL/TLS certificate chains from missing intermediates can cause trust errors. Learn how to diagnose and fix them by installing a complete chain.
 
 
Browser Trust Errors

If you have installed a new SSL/TLS certificate on your web server but visitors are experiencing browser trust errors such as "Not Secure", or "Your Connection Is Not Private", please make sure that a complete intermediate certificate chain has been installed. In Google Chrome, a common error message of this type is NET::ERR_CERT_AUTHORITY_INVALID. All of the following browser errors resulted from installing a valid certificate, but with a broken chain caused by missing intermediates:

Chrome address bar with Not Secure trust warning

 

Chrome address bar with "Not Secure" trust warning

 

Chrome trust warning
 
"NET::ERR_CERT_AUTHORITY_INVALID" trust warning in Chrome browser window.
Apple Safari browser warning
Trust warning in Apple Safari browser window, stating 
This Connection Is Not Private.

For more examples of browser error messages resulting from missing intermediate certificates, please refer to our guide on Troubleshooting SSL/TLS Browser Errors and Warnings.

Note: You may not see these trust errors in Firefox, even if they are present in other browsers. This is because Firefox caches intermediate certificates in its own certificate store; if you previously visited a website that included any intermediates missing from your server, Firefox will use them to make a complete certificate chain when necessary.

Diagnosing the Problem

You can check for missing intermediate certificates with SSL Shopper’s SSL Checker. The screenshot below reveals the situation that produced the errors shown above:

Missing intermediate chain

Solving the Problem

When you download your certificate from your SSL.com user account using the link for your server platform, you receive a zipped file that includes both the certificate and any necessary supporting files. If you only wish to download the intermediate certificates, you can also use the CA bundle download link.

Certificate download by platform

Installation of intermediates varies by server platform. For specific instructions on how to install the required intermediate certificates on your server and create a complete chain, please refer to our certificate installation documentation.

Confirm the Fix

With all supporting certificates installed on the same server that produced the “not trusted” errors shown above, SSL Checker shows a complete chain, and the browser trust errors are gone:

Complete certificate chain

Secure connection