A user visits a site whose TLS/SSL certificate is valid (not expired and matches the domain), yet the browser still warns that the connection is not trusted. What is the most likely reason?
The system clock on the user's device is set incorrectly, making the certificate appear invalid.
The certificate's common name or SAN does not match the site's domain.
The browser cannot negotiate any cipher suites supported by the server's certificate.
The certificate was issued by a Certificate Authority that is not in the browser's trusted root store.
A certificate can be perfectly valid (correct host name and within its validity dates) and still trigger a trust warning if the browser cannot build a chain of trust to a root certificate that it recognizes. This occurs when the issuing Certificate Authority (CA) is not in the browser's trusted root store-for example, an internal or regional CA that the browser does not know about. Importing the CA's root certificate (or using a certificate from a globally trusted CA) resolves the warning.
Why others are wrong:
Expired or mismatched certificates cause different errors (e.g., date or name mismatch) rather than an unknown-issuer warning.
An outdated browser typically produces protocol-support errors such as "ERR_SSL_VERSION_OR_CIPHER_MISMATCH," not an unknown-issuer message.
Unsupported algorithms or cipher suites result in handshake failures, not an untrusted-issuer warning.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Certificate Authority (CA) and why is it important?
Open an interactive chat with Bash
What is a browser's trusted root store and how does it work?
Open an interactive chat with Bash
How can users fix an 'untrusted certificate' warning caused by an unrecognized CA?