Websites and their visitors rely on trust to share information and complete certain transactions. The main way websites establish trust is through issuing SSL/TLS certificates, which validate the authenticity and trustworthiness of a certain website against a trusted Certificate Authority (CA). However, occasionally, errors will appear due to faulty certificate validation. The short story is, if your browser doesn’t trust the certificate because of a validation error, your website visitors will probably not trust your company.
For that reason, it is important to know the most common certificate validation errors and how to remediate them.
PKI: Are You Doing It Wrong?
The most common causes of certificate validation failures
Here are a few of the certificate validation errors that you’ll want to watch out for.
SSL/TLS certificate not trusted
A browser will return an error if it is unable to verify that the end-user’s certificate has been signed by the root. Root certificates are issued by trusted CAs, and embedded into the browsers’ trust stores, they act as a trust anchor to validate all certificates within that browser.
For security purposes, CAs will often sign intermediary certificates which then sign the end-user’s certificate. If the web administrator has not correctly installed intermediate certificates on their server, the browser will be unable to validate the SSL/TLS certificate.
Another common reason for a certificate validation error is that the user has issued a self-signed certificate using their own software. Since this is not signed by the root, it is flagged as untrusted. Self-signed certificates should only be used in internal environments, and not on a public site.
Sites still deploying HTTP
Any site still using HTTP is not using an SSL/TLS certificate and will be marked as untrusted. You can tell which sites have a legitimate SSL/TLS certificate because of the prefix HTTPS in the URL. If the site is using only HTTP, the notification in the search bar will read “Not Secure.” As you can imagine, this is not good for online business.
A similar problem occurs when pages or sites host mixed content. Mixed content errors occur when some elements on the page are still using HTTP, instead of HTTPS. The server will be unable to validate the site in full, and thus flag it as untrusted.
Name mismatch errors
A discrepancy between the domain name in the search bar and the one on the issued SSL/TLS certificate could prevent the certificate from being validated. For example, the name on the certificate may not match if the site was pulled up by IP address, or if the certificate was issued to www.domain.com, but only domain.com was typed in. This is becoming less common as CAs will commonly issue one certificate validating both. Multiple sites on the same IP could also return mismatch errors, as the server may pull the wrong certificate when queried.
CA error
Although the issuance of certificates is governed by well-established rules by the Certificate Authority/Browser (CA/B) Forum, CAs are making mistakes and have mis-issued certificates—to localhost for example. Besides failing to validate such a certificate, improperly issued certificates can lead to man-in-the-middle attacks.
Expired or revoked certificate
Certificate lifespans are shortening due to safety reasons, and the current validity period is only one year. When a certificate expires, it is effectively useless, and will return an error message to the user. On the other hand, revoked certificates can occur for several reasons –either the key was compromised, issued incorrectly, or the certificate was issued with incorrect credentials, either on purpose or by accident.
How to fix the most common certificate validation failures
Properly install SSL/TLS certificates
This may go without saying, but the first step to avoiding “not secure” error messages is to install an SSL/TLS certificate from a trusted CA. When an operating system or web browser is shipped, it will contain a trust store, or list of trusted CAs, which will be used to validate all certificates encountered.
To avoid a mixed content error, make sure all elements on your page are HTTPS secured as well, checking the source code and making adjustments where necessary. If you find you are still receiving error codes, you might have installed it incorrectly and you can always issue a new Certificate Signing Request from your server.
Prevent name mismatch errors
To avoid name mismatch errors, carefully follow the guidelines of correctly submitting a CSR. This will include specifics on how to register your company name, address and domain. Another possible way to get around name mismatch errors is to install a wildcard certificate, as you can secure multiple domains with just one certificate, but due to the risky nature of wildcard certificates, you should be very cautious exercising this option.
Protect against CA error
Being agile is the best way to counter CA errors or a compromised CA. Don’t put all your eggs in a single basket. Instead, be ready to switch CAs in case things don’t go as expected. Maintaining CA agility will ensure you have limited downtime, and you will avoid costly outages which may damage the trust your visitors place in your company.
Secure your chain of trust
Since many errors occur because the device is unable to validate the certificate back to a trusted root, it is important to install intermediate certificates. In the event the device does not find a match, it navigates up what is known as the certificate chain of trust by checking any and all intermediate certificates.
A great starting point for securing your chain of trust is by gaining visibility over all certificates within your environment. With certificate lifespans shortening and the number of connected machines continuing to rise, being able to identify and renew certificates before their expiration date is key to preventing breaches and securing your domains.
Automated certificate management
With over 85% of sites employing HTTPS, safety has become the standard and the expectation of customers. Products like Venafi Control Plane for Machine Identities ensure daily installation of both certificate and chain, enforce trust stores and allow you to install, manage and provision CA chains automatically. With so many possible errors that could occur in the certificate validation process, it is important to establish an automated, agile and secure process for ensuring your sites’ validity.
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Related posts