Untrusted Root Certificate Error Explained

An untrusted root certificate error means the certificate's chain of trust cannot be verified back to a Certificate Authority that the browser or operating system trusts. Every browser maintains a built-in list of trusted root CAs — if a certificate's chain leads to a root not on that list, it's rejected.

Error Messages

• Chrome: NET::ERR_CERT_AUTHORITY_INVALID
• Firefox: SEC_ERROR_UNKNOWN_ISSUER
• curl: SSL certificate problem: unable to get local issuer certificate

Common Causes

• Missing intermediate certificate: The server isn't sending the intermediate CA certificate(s), so clients that haven't cached the intermediate can't build the chain. This is the most common cause.
• Private/internal CA: The certificate was issued by an internal CA whose root isn't in the public trust store. Common in corporate environments and dev/staging setups.
• Newly trusted root: A very new root CA that hasn't been distributed to all operating systems and browsers yet.
• Distrusted CA: The certificate was issued by a CA that was removed from trust stores (e.g., old Symantec certificates distrusted by Chrome/Firefox).
• Self-signed certificate: A certificate signed by its own key with no CA chain at all.

How to Diagnose

Decode your certificate chain by pasting the full chain PEM into the decoder. Check that:

1. The leaf certificate's issuer matches an intermediate CA in the chain
2. That intermediate's issuer matches either another intermediate or a known root CA
3. The root CA is a publicly trusted one (DigiCert, Let's Encrypt/ISRG, Sectigo, etc.)

How to Fix It

• Missing intermediate: Configure your web server to serve the full chain. For Let's Encrypt, use fullchain.pem instead of cert.pem.
• Internal CA: Deploy the root certificate to all client machines via Group Policy (Windows) or certificate management tools.
• Self-signed: Replace with a certificate from a public CA, or if this is an internal service, deploy your root to clients.