This topic describes the causes of and solutions to certificate-related risks.
An SSL certificate is configured for the domain name of my website in the Alibaba Cloud CDN console. However, the browser prompts certificate-related risks when I visit the website from a computer.
Possible causes and solutions
- Possible cause 1: The certificate has expired.
You must renew the certificate and update it in the Alibaba Cloud CDN console. If you purchased the certificate through SSL Certificates Service, see Manually renew an SSL certificate. For more information about how to update an SSL certificate, see Configure an SSL certificate.
- Possible cause 2: The system time is incorrect.
Solution: Check whether the system time of the computer is correct. An incorrect system time causes the certificate to expire or certificate validation to fail. In this case, certificate-related risks arise. Make sure that the system time of your computer is correct before you visit the website again.
- Possible cause 3: The SSL certificate is a self-signed certificate.
Certificates that are signed by yourself instead of issued by a certificate authority (CA) are called self-signed certificates. Self-signed certificates are not trusted by browsers because these certificates can be forged and are vulnerable to man-in-the-middle (MITM) attacks. In this case, certificate-related risks arise.
Solution: Use an SSL certificate that is issued by a CA. You can purchase SSL certificates through SSL Certificates Service.
- Possible cause 4: A web page contains HTTP links.
Solution: Change the HTTP links to HTTPS links.
- Possible cause 5: The TLS version is outdated.
Solution: SSL and TLS provide six versions of protocols: SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3. Among these versions, TLSv1.2 and TLSv1.3 provide the highest level of security. You can set the protocol to TLSv1.2 or TLSv1.3 in the Alibaba Cloud CDN console to address this issue. For more information, see Configure TLS version control.
- Possible cause 6: The encryption suite provides weak encryption capabilities.
Solution: We recommend that you use a 128-bit Advanced Encryption Standard with Galois/Counter Mode (AES-GCM) for encryption and ECDHE_RSA as the key exchange mechanism.