ERR_CERT_AUTHORITY_INVALID: What It Means and How to Fix It

What ERR_CERT_AUTHORITY_INVALID actually means

TLS certificate trust works in a chain: the site's certificate is signed by an intermediate CA, which is signed by a root CA that is pre-trusted in your OS/browser. If Chrome can't trace that chain to a trusted root — because the certificate is self-signed, the intermediate is missing, or the root is unknown — it shows this error. It is not necessarily an attack; it's often a misconfigured server or an internal service without a public certificate.

Most likely causes (ranked)

1. Self-signed certificate on a local/internal server (router admin, home lab, NAS)
2. Missing intermediate certificate on the server — chain is incomplete
3. Corporate SSL inspection replacing certificates with an internal CA cert
4. Antivirus or security software performing HTTPS inspection (Avast, Kaspersky, ESET)
5. Outdated OS with stale root certificate store

How to fix ERR_CERT_AUTHORITY_INVALID

Step 1: Inspect the certificate issuer

Click the warning icon in the address bar → "Certificate is not valid" → Details. Look at the Issuer field. If it names your antivirus vendor, your employer, or "Self-Signed", that explains the error.

Step 2: Test from Firefox

Firefox uses its own certificate store. If Firefox loads the site fine, the problem is Chrome's root store on your system. If Firefox also rejects it, the certificate is genuinely invalid.

Step 3: Update your OS and browser

Root certificates are distributed via OS updates. An outdated Windows, macOS, or Android may not include newer root CAs. Install all pending system and browser updates, then retry.

Step 4: Disable SSL inspection in antivirus

In your antivirus settings, look for "Web Shield", "HTTPS Scanning", or "SSL Inspection" and disable it. This stops the antivirus from replacing certificates with its own. You will lose some antivirus protection for HTTPS content but will resolve the certificate errors.

Step 5: For your own server — use Let's Encrypt

If you manage the server, replace the self-signed certificate with a free Let's Encrypt certificate (trusted by all browsers). Use certbot or your hosting panel's built-in SSL tool. Certificates auto-renew every 90 days.

Frequently Asked Questions

Is it safe to click "Proceed anyway"?

Only for internal tools you control (home lab, router, NAS) where you understand why the cert is self-signed. Never proceed on a public website — the error could indicate a man-in-the-middle attack intercepting your connection.

Why does my router's admin page show this error?

Home routers use self-signed certificates for local admin access — they can't get public CA certificates since they have no public domain name. Expected and safe to bypass at 192.168.x.x — verify the IP matches your router's address first.