VantaCRM

Help

Network troubleshooting

If Vanta CRM won’t load at your office and you’re seeing a certificate error like NET::ERR_CERT_AUTHORITY_INVALID, your corporate firewall is almost certainly the cause — not Vanta CRM.

Why am I seeing a certificate error?

Many corporate networks — especially in finance, healthcare, government, education, and defense — perform TLS inspection on outbound HTTPS traffic. This is done by firewall vendors like Fortinet, Zscaler, Palo Alto Networks, Cisco Umbrella, and Sophos.

Here’s what happens:

  1. You request https://vantacrm.com from your browser.
  2. The corporate firewall intercepts the request, decrypts it for inspection, and re-encrypts it with the company’s own internal certificate authority.
  3. Your browser receives a certificate that wasn’t issued by Let’s Encrypt (our public CA); it was issued by your company’s firewall.
  4. If your device hasn’t been configured to trust that internal CA, the browser refuses the connection and shows the certificate error.

This isn’t something we can fix from our side. Our certificate is valid and signed by Let’s Encrypt, which is trusted by every modern browser by default.

Is this you?

Quick way to tell:

  • Connect to a non-corporate network — your phone’s mobile hotspot is fastest — and try https://vantacrm.com again.
  • If it loads fine on the hotspot but breaks on office Wi-Fi, your work network is doing TLS inspection.

Send this to your IT team

Copy the message below and paste it into a Slack DM, ticket, or email to whoever runs your firewall:

Hi [IT team],

I'm trying to use Vanta CRM (https://vantacrm.com) for work but our
network is blocking it with a certificate trust error. From what I
can tell, our firewall is performing TLS inspection on outbound HTTPS
and re-signing the connection with our internal CA, which my browser
doesn't trust for an external site.

Could you either:

  1. Allow vantacrm.com and *.vantacrm.com through without TLS
     inspection, OR
  2. Add Vanta CRM's certificate authority (Let's Encrypt / ISRG Root
     X1) to the trusted root store on managed devices, OR
  3. Categorize vantacrm.com as "Business / SaaS / CRM" in our
     firewall's URL filtering so it's allowed by policy.

Domains to allow: vantacrm.com and *.vantacrm.com
Public cert chain: Let's Encrypt (leaf issuer may vary) → ISRG Root X1
(standard public CA, in every modern OS / browser trust store)

Thanks!

For IT: technical details

If your IT team wants more before approving:

  • Public domains: vantacrm.com, plus any subdomain under *.vantacrm.com (the wildcard covers all current and future Vanta CRM subdomains).
  • Certificate authority: Let’s Encrypt (leaf intermediate may rotate), chained to ISRG Root X1 — in the default trust store of all major browsers and operating systems since 2021. If you need to trust by root, ISRG Root X1 is the stable anchor; don’t pin a specific intermediate.
  • Certificate management: Automated by Vercel, our hosting provider. Standard ACME / Let’s Encrypt renewals.
  • Suggested URL category: Business / Productivity / CRM. The site is not user-generated content, file sharing, or P2P.

Vendors that should already classify vantacrm.com as legitimate SaaS:

If vantacrm.com is miscategorized in any of these, we’re happy to submit a re-categorization request — email support with the firewall vendor and we’ll handle it.

Still stuck?

If you’ve sent the request to IT and they’re still blocking us, or if you’re seeing a different error (timeout, DNS, “site can’t be reached”), reach out via our contact form with the exact error message and we’ll help triage.

One thing worth saying: TLS inspection is a legitimate security practice. We don’t object to it — we just can’t override it from our side. Your IT team is the right escalation path.