Security

How to Fix ERR_CERT_AUTHORITY_INVALID in Chrome

Why Chrome shows ERR_CERT_AUTHORITY_INVALID, what it means about your SSL certificate, and how to fix it in development and production.

February 26, 2026 Updated February 26, 2026

How to Fix ERR_CERT_AUTHORITY_INVALID in Chrome

Chrome blocks the page and shows:

Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALID

This means the SSL/TLS certificate presented by the server was not issued by a certificate authority (CA) that Chrome trusts. The connection is encrypted, but Chrome cannot verify who it’s encrypted to. It could be the real server, or it could be an attacker intercepting the traffic.

Chrome maintains a list of trusted CAs. If the certificate’s issuing authority is not on that list, or if the chain of trust from the certificate back to a trusted root CA is broken, Chrome shows this error.

Common causes

1. Self-signed certificate in development

You generated a certificate yourself using openssl for local HTTPS. Self-signed certificates are not issued by any trusted CA, so Chrome rejects them.

# This creates a self-signed cert that Chrome will reject
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Fix: Use mkcert instead. It creates a local CA, adds it to your system trust store, and issues certificates signed by that CA. Chrome trusts these certificates because it trusts the local CA.

# Install mkcert
brew install mkcert   # macOS
choco install mkcert  # Windows

# Create and install the local CA
mkcert -install

# Generate certs for localhost
mkcert localhost 127.0.0.1 ::1

This produces localhost+2.pem and localhost+2-key.pem. Use them in your dev server:

// Vite
export default defineConfig({
  server: {
    https: {
      key: './localhost+2-key.pem',
      cert: './localhost+2.pem',
    },
  },
})

// Node.js
import { readFileSync } from 'fs'
import https from 'https'

const server = https.createServer({
  key: readFileSync('./localhost+2-key.pem'),
  cert: readFileSync('./localhost+2.pem'),
}, app)

2. Missing intermediate certificate in production

Your server has a valid certificate from a trusted CA, but the response doesn’t include the intermediate certificates that chain your certificate back to the root CA. Chrome can sometimes fill in the gap using cached intermediates, but it’s not guaranteed. Other browsers and devices may fail consistently.

Fix: Configure your server to send the full certificate chain. Your CA provides the intermediate certificates when you download your cert. Concatenate them in order:

-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate - optional, usually not needed)
-----END CERTIFICATE-----

For nginx:

ssl_certificate     /etc/ssl/fullchain.pem;  # Full chain, not just the leaf cert
ssl_certificate_key /etc/ssl/privkey.pem;

For Apache:

SSLCertificateFile    /etc/ssl/cert.pem
SSLCertificateChainFile /etc/ssl/chain.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem

Test the chain with SSL Labs: https://www.ssllabs.com/ssltest/. It will tell you if intermediates are missing.

3. Expired certificate

Certificates have a validity period. When it expires, Chrome treats the certificate as untrusted even if the CA is valid.

Fix: Renew the certificate. If you use Let’s Encrypt, the certificate is valid for 90 days and should auto-renew via certbot or your hosting provider.

Check if auto-renewal is working:

# Test certbot renewal without actually renewing
sudo certbot renew --dry-run

If certbot’s cron job or systemd timer stopped working, renewal silently fails and the cert expires. Check the timer:

systemctl status certbot.timer

Most managed hosting platforms (Vercel, Netlify, Cloudflare Pages, AWS CloudFront) handle renewal automatically. If you’re on one of these and seeing this error, the problem is likely somewhere else in the chain.

4. Wrong certificate for the domain

The certificate is valid but was issued for a different domain. Visiting app.example.com but the certificate is only valid for example.com and www.example.com.

Fix: Re-issue the certificate to include all domains and subdomains you serve.

With Let’s Encrypt:

sudo certbot certonly --nginx -d example.com -d www.example.com -d app.example.com

Or use a wildcard certificate:

sudo certbot certonly --dns-cloudflare -d example.com -d '*.example.com'

Wildcard certificates require DNS validation, not HTTP validation.

5. Corporate proxy or antivirus intercepting HTTPS

Some corporate networks and antivirus software install their own root CA on your machine and re-sign all HTTPS traffic. If that root CA is not properly installed or has been removed, Chrome shows ERR_CERT_AUTHORITY_INVALID on every HTTPS site.

Fix: This is not a server issue. Check if the error happens on all HTTPS sites (Google, GitHub, etc). If it does, the intercepting proxy’s CA is missing from your trust store.

On macOS, open Keychain Access and look for unfamiliar root CAs. On Windows, check certmgr.msc under Trusted Root Certification Authorities. Ask your IT team if a proxy CA needs to be installed.

Diagnosing with Chrome’s certificate viewer

Click the “Not Secure” warning in the address bar, then “Certificate is not valid.” Chrome shows:

Issued to: The domain(s) the certificate covers
Issued by: The CA that signed it
Valid from / to: The validity period
Certificate chain: Each certificate from leaf to root

If the chain shows a red X on any certificate, that’s where the trust breaks. A missing intermediate shows as an incomplete chain. An untrusted issuer shows as an unknown root.

You can also check from the terminal:

openssl s_client -connect example.com:443 -servername example.com

This prints the full certificate chain the server sends. Look for verify return:1 (trusted) or verify return:0 (not trusted) at each level.

Prevention

Use a hosting platform that handles certificates automatically. Vercel, Netlify, Cloudflare Pages, and similar platforms provision and renew certificates with zero configuration. For self-managed servers, set up certbot with automatic renewal and monitor expiration dates.

For local development, install mkcert once and never deal with self-signed certificate warnings again.

Hushbug detects SSL and security errors automatically while you browse. Coming soon to the Chrome Web Store.

Back to Knowledge Base