SSL Certificate - The certificate is not trusted in all web browsers

Question

I am using zerossl.com website to generate an SSL certificate for my website developer.norght.com

I successfully downloaded and installed a certificate from the zerossl.com website as per their documentation. And I am able to access https://developer.norght.com securely on my devices.

My Hosting Account's SSL tab which also indicates that certificate installed successfully as below:

Now my problem is: When I check my SSL certificate using different platforms, they are showing me this error that my certificate is not trusted on all browsers!

SSL Hopper reference:

SSL Labs reference:

I tried to troubleshoot the issue using this article https://zerossl.com/help/troubleshoot/missing-intermediate-certificate/ provided by zerossl.com but found no luck. I even try to re-install certificate, private-key, ca-bundle file but still getting the same error.

So, I search for a further tool that can help me to solve the issue on https://whatsmychaincert.com/?developer.norght.com this website. They are providing me the chain which I should use as ca-bundle, I tried that too!

I tried every solution I found around but none of them is able to solve my problem.

Anyone here if helps me with this issue it would be much-appreciated pals.

Answer 1

I'm aware that this question was asked about 6 months ago. So, in case you're still searching for the solution, you might wanna try the following:

• Copy the ca-bundle content (cert) and paste it after your domain cert in the Certificate (CRT) field .

Yes, this means that there are 2 certs in your CRT field (domain and ca-bundle) as example below:

Certificate (CRT)

-----BEGIN CERTIFICATE-----

(domain cert)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(ca-bundle cert)

-----END CERTIFICATE-----

If this works, it's just how the cert is installed at your hosting provider.

Answer 2

The root cause is that the root certificate for certificates issued by zerossl.com is not included in well-known web browsers (such as Chrome and Firefox) by default as a "trusted root certificate" . Therefore, you have to install the root certificate manually. This means that you have to ask everyone who wants to access developer.norght.com to install the root certificate into their web browsers manually.

If you want to enable people to access developer.norght.com without installing the root certificate manually, you have to use other certificate issuer (not zerossl.com) that can issue certificates whose root certificate is installed in well-known web browsers by default.

As the diagram below from " Illustrated X.509 Certificate " tells, the origin (ie root certificate ) of a certificate chain must be installed in advance.