Current location - Quotes Website - Personality signature - How to solve the problem of untrusted SSL certificate (edamame)
How to solve the problem of untrusted SSL certificate (edamame)

Reasons and solutions for the unreliability of SSL certificates:

1) Websites use self-signed SSL certificates

Many companies will use self-signed certificates to save costs. Self-signed certificates are to set up a CA system and issue SSL certificates by themselves, so the cost will be much lower and the issuing cost will be longer. However, such certificates are not recognized by browsers.

2) websites use SSL certificates with poor compatibility.

Many free certificates are not recognized by all browsers because their root certificates are not in the trust stores of some browsers, so they may be distrusted due to compatibility problems.

3) The validity period of the certificate has passed, and it is no longer valid

SSL certificates have a validity period just like other certificates, and SSL certificates are more strict in validity control. At present, the longest validity period of SSL certificates is only one year. Therefore, when the SSL certificates deployed in your website expire, the browser will prompt the website that "SSL certificates are not trusted".

4) The site refers to the wrong SSL certificate

Certificates are issued for the corresponding IP or domain name. If the site uses the wrong SSL certificate, for example, website A mistakenly uses the certificate of website B, the certificate will be untrustworthy.

5) The certificate chain of SSL certificate is incomplete

Usually, SSL certificate includes server certificate, intermediate certificate, root certificate, and some require cross-certificate. Many times, if the operating system only has an authoritative root certificate built in by default, and you directly install your own domain name server certificate, then the certificate chain is incomplete, and the operating system cannot determine who is the issuer of the real SSL certificate. Therefore, when the server is configured to install SSL certificates, we need to check the integrity of the certificate chain to ensure that SSL certificates can be used normally.

6) The client does not support the SNI protocol

It must be pointed out that there are still some old systems below Windows XP SP2 and below Android4.2, because they are too early, and at that time, no system vendor supported the SNI protocol. At present, almost all mainstream operating systems and browsers support SNI protocol, which is a technology that allows multiple domain names that support SSL certificates to share the same IP address. Many years ago, SSL certificates needed to be bound to a separate IP address, and with the gradual shortage of IPv4 address pool, SNI technology came into being.