# How to handle NET::ERR_CERT_AUTHORITY_INVALID



## blind0ne (Feb 7, 2022)

Hi, what if I want to produce certificates and don't want to receive 'NET::ERR_CERT_AUTHORITY_INVALID' in web browser? where and how my browser asks about cert's origin?


----------



## SirDice (Feb 7, 2022)

The Howto section is not for _asking_ how to do things. Thread moved.


----------



## SirDice (Feb 7, 2022)

blind0ne said:


> where and how my browser asks about cert's origin?


The certificate itself. It tells you who signed it. At the top there's a CA certificate, a Certificate Authority. These CA certificates are root certificates, on FreeBSD they're included with security/ca_root_nss. It's these CA certificates you trust. If a certificate has been signed by any one of those trusted certificate authorities then the certificate is valid. If the CA cannot be verified (or isn't trusted) then you get a certificate authority error. This typically happens with self-signed certificates. If you used self-signed certificates then you have to make sure your browser imports that CA certificate you created and used to sign your self-signed certificates with.


----------



## blind0ne (Feb 8, 2022)

SirDice said:


> The certificate itself. It tells you who signed it. At the top there's a CA certificate, a Certificate Authority. These CA certificates are root certificates, on FreeBSD they're included with security/ca_root_nss. It's these CA certificates you trust. If a certificate has been signed by any one of those trusted certificate authorities then the certificate is valid. If the CA cannot be verified (or isn't trusted) then you get a certificate authority error. This typically happens with self-signed certificates. If you used self-signed certificates then you have to make sure your browser imports that CA certificate you created and used to sign your self-signed certificates with.


How the verification is being done? What is protection mechanism from the "fake" authority?


----------

