The NET::ERR_CERT_AUTHORITY_INVALID error occurs when a browser does not trust your website's SSL certificate. This usually happens if you are using a self-signed certificate, the certificate was issued by an unrecognized authority, or the installation is missing the CA Bundle. To fix it, install a valid SSL certificate from a trusted Certificate Authority.
What Is a Certificate Authority?
A Certificate Authority (CA) is an organization that issues and cryptographically signs SSL certificates. Browsers ship with a pre-installed list of trusted CAs:
| | |
| Padlock shown, no warning | Let's Encrypt, Sectigo, DigiCert |
| | Self-signed, expired, misconfigured |
| | |
The chain of trust: Your certificate must trace back to a root CA that browsers already trust. If that chain is broken or the issuer isn't recognized, browsers reject it and show the red warning, even if the encryption itself is technically functional.
Browsers don't evaluate encryption quality. They evaluate trust authority.
Root Cause 1: Self-Signed Certificates
A self-signed certificate is one you generate yourself, often through cPanel's built-in SSL tool, where your server acts as its own Certificate Authority.
The problem: No browser trusts your server as a CA. Chrome, Safari, and Edge all display the full red blocking screen because the certificate chain leads nowhere recognized.
Self-signed certificates are development tools, not production solutions. For any public-facing website, they are not viable. Every visitor sees a warning implying your site is dangerous. Most will leave immediately. Using one on a live business site destroys trust faster than having no HTTPS at all.
Root Cause 2: Missing CA Bundle
Even with a legitimate CA-issued certificate, this error appears if the installation is incomplete.
The chain of trust requires three layers:
- Root certificate (built into the browser)
- Intermediate certificate (bridges root to your cert)
- End-entity certificate (your domain's certificate)
The CA Bundle contains the intermediate certificates. If you install only your domain certificate and omit the CA Bundle, browsers can't build the complete chain back to the root CA.
How it happens: Certificate authorities send multiple files. Webmasters often upload only the main .crt file and skip the ca-bundle file.
How to verify: Use SSL Labs (ssllabs.com/ssltest). A broken chain shows "Chain issues: Incomplete."
Implementation Steps: Install a Trusted Certificate
Step 1: Purchase from a trusted CA NameSilo's SSL certificates are issued by recognized CAs trusted by all major browsers. Step 2: Generate a CSR cPanel → SSL/TLS → Generate Certificate Signing Request. Use your exact domain name.
Step 3: Complete domain validation Confirm ownership via DNS TXT record or email verification.
Step 4: Download all certificate files Your CA provides: domain certificate, intermediate/CA Bundle, and root certificate.
Step 5: Install in cPanel cPanel → SSL/TLS → Install and Manage SSL → paste domain certificate AND CA Bundle. Both are required.
Step 6: Verify Run your domain through ssllabs.com/ssltest to confirm the chain is complete.
Common Mistakes
Telling visitors to click "Proceed Anyway": This trains users to ignore security warnings and permanently signals your site is unsafe. Never ask visitors to bypass a certificate error.
Skipping the CA Bundle: Most common cause on legitimate certificates. Always upload every file your CA provides.
Letting certificates expire: Set a renewal reminder 30 days before expiry. Expired certs show the same blocking screen.
What This Means for You
NameSilo's Turbo hosting plan includes free SSL for all domains on the account. NameSilo also sells SSL certificates separately, issued by trusted CAs and compatible with all browsers. Frequently Asked Questions
What causes ERR_CERT_AUTHORITY_INVALID?
Self-signed cert, missing CA Bundle, or unrecognized issuer.
How do I fix an invalid SSL certificate?
Install a trusted CA-issued cert with complete CA Bundle.
Is a self-signed certificate secure?
Encryption works but browsers block it. Not viable for public sites.
What is a Certificate Authority?
An organization that issues browser-trusted SSL certificates.
Why does Chrome say my connection is not private?
SSL chain broken, self-signed, expired, or CA unrecognized.
What is an SSL CA Bundle? Intermediate certificates linking your cert to the trusted root CA.
How do I get a trusted SSL certificate?
Purchase via namesilo.com/ssl from a recognized CA.
Does NameSilo sell SSL certificates?
Yes. Trusted CA-issued certificates for all major browsers.