Print this page

SSL Certificate issue during SSO: Certificate Is Not Trusted in Web Browser

Knowledge Article Number 000133733
SSL Certificate issues:
During SSO authentication via Chatter Desktop, Mobile or even SFO, users with server certificate issues could see one of the following errors:
Security Certificate Errors: Certificate Is Not Trusted in Web Browser
"The security certificate presented by this website was not issued by a trusted certificate authority."
      - Internet Explorer 7+ / Chrome
" uses an invalid security certificate."
"The certificate is not trusted because the issuer certificate is unknown."
      - Firefox 3+
" uses an invalid security certificate."
"The certificate is not trusted because it is self signed."
      - Firefox 3+
Salesforce recommends confirming the SSL server certificates and the intermediate server certificates. This can be verified using internal tools or a quick check via Digicert checker.
** Enter the name of your server below and this site will attempt to diagnose the problem and verify proper SSL installation **
More background:
Browsers are made with a list of trusted certificate providers (like DigiCert) built-in. For some sites the certificate provider cannot be found on that list, and the browser warns that the certificate authority is not trusted. While this warning is fairly generic for Internet Explorer, Firefox 3 will also distinguish between a certificate issued by the server itself (a "self-signed" certificate) and other untrusted issuer certificates.
Properly installing a DigiCert SSL certificate should resolve this issue. You should never need to install anything to the client devices/applications in order for your DigiCert SSL certificate to work properly.
If you run into this error after installing a DigiCert certificate, use our SSL certificate checker to find the exact cause of error.
Self-signed Certificates
One possible cause of this error is that a self-signed certificate is installed to the server. Self-signed certificates are "not trusted" because they are generated by your server, not by DigiCert, and do not reference DigiCert in the "Issuer" field when checked with our certificate checker.
If you find a self-signed certificate on the server after going through the process of installing your DigiCert certificate, you will want to generate a new CSR from your server (for help, see our CSR creation instructions) and reissue the certificate inside your DigiCert account by logging in, clicking the order number, and then clicking the reissue link.
Intermediate Certificate Issues
The most common cause of the "trusted certificate authority" error is that the certificate installation has not been properly completed on the server (or servers) hosting the site. When checked with our SSL certificate tester, an incomplete installation will show one certificate file and a broken red chain.
To resolve this problem, install the intermediate certificate (or chain certificate) file to the server that hosts your website. To do that, log in to your DigiCert account, click the order number, and then select the certificate download link. This file should be named DigiCertCA.crt. You will then want to follow your server specific installation instructions to install the intermediate certificate file.
Once you have imported the intermediate certificate, check the installation using the SSL certificate tester. A proper installation will show multiple certificate files connected by an unbroken blue chain.

promote demote