Brave is built on Chromium, so the SSL warnings you see are nearly identical to Chrome's - same wording, same error codes, same underlying validation logic. This guide covers what Brave's "Your connection is not private" warning means and how to fix it.
Why Brave's warnings look like Chrome's
Brave is a Chromium-based browser. Most of its TLS validation, error reporting, and trust store handling comes from the same code that Chrome uses. When you see "Your connection is not private" in Brave, it's the same check that Chrome would have failed.
Two practical implications:
- The error codes you see (
NET::ERR_CERT_DATE_INVALID,NET::ERR_CERT_COMMON_NAME_INVALID, etc.) are identical to Chrome's. - The fixes are identical too. A configuration that satisfies Chrome will satisfy Brave.
Brave does add some privacy-focused features on top (Tor windows, Brave Shields), but those don't change the SSL validation logic.
What the warning means
Brave is refusing to establish a trusted HTTPS connection because something about the site's SSL certificate failed validation. Three checks must all pass:
- The certificate is currently valid (not expired, not before its start date).
- The certificate covers the hostname being requested.
- The certificate's issuer chains up to a trusted CA in the system trust store.
The error codes you'll see (same as Chrome)
NET::ERR_CERT_DATE_INVALID- expired or not-yet-valid certificate.NET::ERR_CERT_COMMON_NAME_INVALID- hostname doesn't match the certificate.NET::ERR_CERT_AUTHORITY_INVALID- issuer not trusted (often self-signed).NET::ERR_SSL_VERSION_OR_CIPHER_MISMATCH- server's TLS version or ciphers are too old.NET::ERR_CERT_REVOKED- certificate has been revoked.
If you're a visitor seeing this warning
Default action: leave the site. The warning is real - trust is broken, and entering passwords or payment information is risky.
Reasonable exceptions:
- The site is yours - use the fixes below.
- The site is an internal tool with a known internal-CA certificate. Get the CA installed on your system; don't click through ad hoc.
- Your system clock is wrong - Brave (like all browsers) trusts the system clock to determine certificate validity. A wrong clock makes valid certificates look expired.
If you own the site and need to fix it
For NET::ERR_CERT_DATE_INVALID (expired)
Issue a new certificate. The quickest path is a free Let's Encrypt certificate via Beacon:
Need a working certificate right now?
Beacon issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No account, no command-line tools, no ACME client to install - just a domain you control. Most people get a working certificate in under 10 minutes.
Get a free certificate from BeaconFor NET::ERR_CERT_COMMON_NAME_INVALID (hostname mismatch)
Your certificate doesn't include the affected hostname on its SAN list. Either issue a new certificate that covers it, or fix your server's SNI configuration to map the right certificate to the right hostname. Watch out for wildcard-depth: *.example.com doesn't cover api.eu.example.com.
For NET::ERR_CERT_AUTHORITY_INVALID (untrusted issuer)
Your certificate is from an issuer that isn't in the trust store, or it has a usage combination Chrome's root program no longer accepts. Most often a self-signed certificate, an internal CA, or - since June 15, 2026 - a public certificate that includes both serverAuth and clientAuth Extended Key Usages.
Since June 15, 2026: the dual-EKU rejection in Chromium browsers
Because Brave inherits its TLS validation from Chromium, it also enforces Chrome Root Program Policy v1.8 - which rejects public TLS certificates that include both serverAuth and clientAuth EKUs. Symptom: the certificate works in Firefox and Safari but throws NET::ERR_CERT_AUTHORITY_INVALID in Brave, Chrome, and Opera. Check your certificate's EKUs:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
| openssl x509 -noout -ext extendedKeyUsage
If both TLS Web Server Authentication and TLS Web Client Authentication appear, ask your CA to reissue with serverAuth only. The deep dive on the two causes of NET::ERR_CERT_AUTHORITY_INVALID after June 15, 2026 covers diagnostics and exact reissuance wording.
For self-signed or internal-CA cases
Switch to a publicly-trusted CA like Let's Encrypt, DigiCert, or Sectigo. Beacon issues free Let's Encrypt certificates in about 10 minutes for urgent replacements.
For NET::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Your server is too restrictive on TLS version or cipher suites. Modern browsers (including Brave) require TLS 1.2 minimum and reject deprecated ciphers. The Mozilla SSL Configuration Generator produces ready-to-paste configurations.
Brave-specific things to check
Two Brave-specific configurations occasionally cause confusion:
- Brave Shields blocking content - if the page partially loads but resources are missing, check Shields settings. Shields can block third-party resources (including some images and scripts) and the page may look broken without an actual SSL issue.
- Tor windows - Brave's private window with Tor changes the network path to the site. If certificates work in regular Brave but not Tor windows, the issue is usually a server-side restriction on Tor exit nodes (or your origin server rejecting unfamiliar geo locations).
Prevent this from happening again
Stop this from happening again
TLS Radar continuously monitors every certificate across your domains and alerts you weeks before anything expires, and also catches the silent failure modes (chain breaks, weak ciphers, hostname mismatches) that expiry-only monitoring misses. Built for solo developers monitoring a handful of sites and for enterprise teams managing thousands of certificates across multiple environments.
Related reading
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.