Today I did a blog post on how browsers show expired certificates. I figured I would take the opportunity to capture a few of the other failure cases for certificates.
The most severe example is that of an untrusted root certificate, for this scenario I figured the use of https://cacert.org was the most direct example.
There are a few cases where this error condition will come up, for example another one is if a server doesn’t include all of the intermediate certificates the clients cannot determine which Certificate Authority issued the certificate.
According to the current SSL Pulse data about 7.4% of the servers in the Alexa top one million may fall into this case.