Problem

Almost every time a certificate is checked, there's a message saying "subject issuer mismatch." What does that mean and how do I know if it's a problem?

Resolution

Certificates can be split into two categories: certificates that are signed by a higher certificate and self-signed root certificates that are signed by themselves. In the case of self-signed roots, the subject and the issuer therefore match, because a self-signed certificate is issued by itself. All non-root certs, therefore, have a "subject issuer mismatch" because they're not self-signed roots and there must therefore be some issuing certificate in the certificate chain above them.

So whenever a message mentions a "subject issuer mismatch," it is just calling out the fact that the certificate mentioned is not a self-signed root. When a certificate chain is built, each certificate's issuer is inspected to see if the issuing certificate is trusted. This process continues until a trusted self-signed root certificate is identified and the chain building process is successful, or one of the issuers cannot be found in the trust store, in which case a failure occurs. Note that while all certificate authorities (CAs) can issue other certificates, only a self-signed root can mark the end of a certificate chain and allow a certificate chain to be correctly built.

Accordingly, the "subject issuer mismatch" message only indicates an error when the chain building process fails, identifying some certificate as not being trusted or saying its issuer cannot be found. The rest of the time, it is merely an informational message informing you that the process needs to continue by looking at the issuer of the certificate for which the "subject issuer mismatch" message was generated before coming to a conclusion.