开发者

"This CA Root Certificate is not trusted" with an SSL installed

I just installed an SSL on Plesk, and when I go to https://www.example.com in Chrome, I get the error below:

This CA Root Certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities Store.

Sort of defeats the purp开发者_运维问答ose of having an SSL. Any idea how I can make this message go away?

I bought the SSL from GoDaddy, which I would expect to be a trusted authority.


This issue occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority (GoDaddy) provides a bundle of chained certificates that should be chained with the server certificate to address this issue of lack of trust. Unfortunately, GoDaddy does not provide any documentation on this front. You should have received two different certificates from GoDaddy, one for your server, and the bundle. Depending on your server, this is what the configuration would look like:

  • For Apache:

Specify each certificate in its own directive:

SSLCertificateFile /path/to/cert/www.example.com.crt
SSLCertificateChainFile /path/to/cert/bundle.crt
  • For Nginx, documented here:

Both certificates should be concatenated, first the server, then the bundle:

cat www.example.com.crt bundle.crt > www.example.com.chained.crt

And then use www.example.com.chained.crt in your server ssl_certificate directive:

ssl_certificate www.example.com.chained.crt


GoDaddy is recognized on Windows operating systems, because the GoDaddy root certificate is pre-installed on Windows. But GoDaddy will not be automatically recognized in many contexts and would need to be manually configured by users (which is not a trivial task). IPhone, for example, will not trust GoDaddy certificates out of the box. You may consider getting certificate from established certificate authorities such as Verisgn or Thawte, but they will be more expensive.


@John: GoDaddy is a registrar/webhost, I believe their certificates are just reseller certs. You don't need to go expensive to get compatibility as @Jaro suggests. I've deployed several RapidSSL certificates that are recognized by Chrome/iOS and Safari/iOS without user intervention and are much cheaper than the higher-insurance certificates like Symantec/VeriSign.


The only way to make that message go away, is by buying a real certificate from a trusted authority.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜