Discussions / FAQs

The above key constraints mean that the certificate is allowed to issue signed certificates. It is not possible to purchase a publicly trusted certificate with these constraints from any Certificate Authority. If such a certificate were issued it would be possible to sign an end-entity certificate for any domain and it automatically be trusted by browsers. This creates a significant security risk as the owner of such a certificate could simply just issue a certificate for google.com or paypal.com and inspect all traffic between the user and the server. The main reason for requiring such a certificate is to install on a firewall type device that performs deep packet inspection. This is essentially performing a Man-in-the-Middle attack on the end user using the firewall by breaking end-to-end encryption for that user. The only option is to create a self-signed certificate with these key constraints and then add it as a trusted certificate on all the end user devices connecting through the firewall either via a group policy or asking the end users to install the certificate.

Due to changes implemented by the CA Browser Forum certificates can only have a maximum validity period of 397 days to be trusted by browsers. You can reissue your certificate multiple times during the life of your certificate plan to obtain the full validity. For more information please see our guide on [Multi-Year HTTPS Certificates](https://docs.servertastic.com/docs/multi-year-https-certificates)

Error can occur when visiting a website even in modern browsers.

This message is sometimes displayed when accessing an SSL page via a proxy (including our own payment page PayPal). It is caused by Chrome being unable to render the 502/302 proxy response for some sites (Issue 119713). Check your browsers Proxy settings. If possible remove the proxy and try again. To change this setting, go to [chrome://chrome/settings/](chrome://chrome/settings/) Then Click `Show Advanced Settings`. Scroll down to `Network` and click `Change proxy settings…` Uncheck `Automatically Detect`.

This usually means the implementation of SSL on your server is not correct. The error is usually caused by a server side problem which the server administrator will need to investigate. Below are some things we recommend trying. - Ensure that port 443 is open and enabled on your server. This is the standard port for https communications. - If SSL is using a non-standard port then FireFox 3 can sometimes give this error. Ensure SSL is running on port 443. - If using Apache2 check that you are using port 443 for SSL. This can be done by setting the ports.conf file as follows `— clip — Listen 80 Listen 443 https — clip —` - Make sure you do not have more than one SSL certificate sharing the same IP. Please ensure that all SSL certificates utilise their own dedicated IP. - If using Apache2 check your vhost config. Some users have reported changing `<VirtualHost>` to `_default_` resolved the error.