If a website's SSL certificate is expired or incorrect, web users may be dissuaded from loading the website.
After reading this article you will be able to:
Copy article link
Secure Sockets Layer (SSL) is a protocol for encrypting and authenticating data traveling between clients and servers on the Internet. The updated version of the protocol is called Transport Layer Security (TLS).
SSL/TLS relies on the use of an SSL certificate, which is a data file hosted on a web server that helps encrypt traffic and verify the server's identity. The server and the client (the device used by a person trying to reach the website hosted on the server) use the SSL certificate to establish symmetric encryption keys and begin a secure, encrypted transmission — all in a matter of milliseconds. Encrypting the data passing between users and servers helps to prevent data compromises, allowing websites to retain user trust and meet compliance requirements.
SSL/TLS certificate problems can stop users from safely loading and accessing websites and applications. Below are some of the common SSL certificate errors (or TLS errors) that users and website administrators may encounter.
Most SSL certificates are issued, and signed, by an external organization called a certificate authority. Self-signed certificates are often not trusted by browsers, since no external authority verified the certificate. A certificate authority may also not be recognized by the browser for some other reason: SSL certificates issued by Symantec, for example, are no longer trusted by major browsers. This SSL certificate error can result in a "Your connection is not private" message in the browser, which can prevent users from visiting the website.
Getting an SSL certificate from a more widely supported certificate authority can fix this error. (Cloudflare, for instance, offers SSL certificates for free that are trusted by all browsers.)
The Internet community has updated the SSL/TLS protocol many times over the years to fix vulnerabilities and make the authentication process faster — the name change from SSL to TLS reflects this.
Many web services have started to enforce the usage of the latest protocols. The most current and widely used version of TLS is TLS 1.3, with TLS 1.2 remaining in use as well.
For web hosts and websites configured to only accept the most secure protocols, clients must support TLS 1.2 at minimum or else the TLS handshake cannot take place as planned. (The error "a fatal error occurred while creating a TLS client credential" may be observed in such cases.) A user should make sure the browser and operating system on their device support the newest, most secure versions of TLS to avoid this SSL certificate error.
Just as some government-issued identification documents like passports expire after a certain number of years, SSL certificates have to be renewed periodically. This helps ensure that the same entity still operates the web service in question, just like updating one's passport photo helps to confirm one's identity. An expired SSL certificate will not be trusted by a client's web browser, so the TLS handshake cannot proceed and no secure connection can be established.
To fix this SSL issue, web administrators need to make sure their SSL certificates are all up to date for their domains and subdomains.
This error can also occur if the client's clock is incorrect: In such a case, the client's browser may not be able to tell if the SSL certificate has expired. Resetting the clock on the client device fixes the error in such cases.
A name mismatch error occurs when the name on the SSL certificate does not match the URL entered by the client. This can happen if the user has entered a different top-level domain than expected, typed "www" when that name is not listed on the certificate, or misspelled the domain in some other way. A name mismatch can also occur if the website operator has mislabeled their certificate or has failed to include all the public-facing names of their domain. Finally, a common name mismatch error can happen when either the client or the server does not support the SNI extension (more on this below).
To avoid this error, website administrators should make sure they spell the domain correctly on their SSL certificates. Additionally, the Subject Alternative Name (SAN) section of the SSL certificate should list all the legitimate alternative presentations of the domain name.
Server Name Indication (SNI) is an extension to the TLS protocol for use when multiple domains are hosted on one server. When a client starts a connection, it is connecting directly to a server (indicated by an IP address). That server could be hosting multiple websites — like an apartment building in which multiple residents live.
SNI is an extension that, to continue the analogy, puts an apartment number on the address so that the server knows to which website — or "apartment" — to direct the request for an SSL connection. But if the request to the server does not use SNI, the server might show the wrong SSL certificate to clients initiating a connection, resulting in a common name mismatch error.
To avoid this error, website administrators should use web hosts that support the latest TLS protocols, including SNI (and encrypted SNI).
Cloudflare helps website operators avoid these errors by automatically managing and renewing certificates for all customer websites. Making sure certificates are not expired can be a full-time job when organizations have dozens, hundreds, or millions of subdomains to manage. But Cloudflare automates this process.
Learn about Cloudflare SSL certificates options on the Plans page.