# 30132: Certificate cannot be validated. 

Log Type: APPLICATION

Log Level: ERROR

## Description

Twilio can't validate the TLS certificate you uploaded for a Link Shortening domain. For Link Shortening, the certificate and private key must be in `PEM` format, use the required `BEGIN` and `END` lines, and match the correct domain or subdomain. Provide the full chain of trust when you encrypt the connection.

### Possible causes

* The certificate was uploaded in the wrong format or does not start and end with the required `PEM` boundaries.
* The private key is missing, malformed, or not in `PEM` or `PKCS #8` format.
* The certificate and key were generated for a different domain or subdomain.
* The full chain of trust was not provided with the upload.

### Possible solutions

* Upload a certificate and private key in `PEM` format, and confirm the certificate starts with `-----BEGIN CERTIFICATE-----` and ends with `-----END CERTIFICATE-----`.
* Confirm the private key starts with `-----BEGIN PRIVATE KEY-----` and ends with `-----END PRIVATE KEY-----`, or use `PKCS #8` format.
* If you use a subdomain, generate the certificate and key for that subdomain.
* Upload the full chain of trust as a single file, including the server certificate, intermediate `CA` certificates, and root `CA` certificate.
* Upload the certificate again in the Console or send the `POST` request to the Link Shortening domain's Certificate subresource, then check the validation status after up to five minutes.

#### Additional resources

* [Link Shortening Onboarding Guide](/docs/messaging/features/link-shortening/onboarding-guide)