Firefox sec_error_unknown_issuer

Posted on 2010-01-06
Last Modified: 2013-12-07
Can anyone tell me why Firefox browser issues the sec_error_unknown_issuer for url:    Server team tells me Entrust certificate and the chain certificate are in place for server.  No errors from other browsers such as IE . . . just Firefox.
Question by:jreinhartas400
    LVL 13

    Expert Comment

    You can still see the error in IE, although IE displays the page.

    The problem is with the chain certificate.  Firstly double and triple check the chain certificate is installed correctly.  If your 100% sure, log a ticket with Entrust and they will most likely send you a new chain certificate that is trusted.
    LVL 31

    Accepted Solution

    The root certificate is trusted in both IE and FF, so this tells me that the web server does not have the intermediate cert installed on it to push to clients.  For IE, the intermediate cert is included in the Trusted Intermediates store, so it is already aware of it.  FF3 does not contain this since they normally only track the root certificate.

    As a workaround, you could export the cert from IE from the Trusted Intermediate store and install that into Mozilla to make sure you are getting a valid copy of the certificate, or download it from the AIA location from Entrust themselves:

    To install to FF3 client:
    Tools - Options - Advanced - Encryption - View Certificates - Authorities -Import - select the intermediate cert.

    If you are the admin for this site, install that cert on the web server so others do not have to mess with this and get the warning message.  If you are not, you may want to contact that site to ask that their admin do this.

    Author Comment

    I will again check with the server admin for the site to ensure the chain certificate is installed.  They tell me the certificate is actually installed on the load balancer which sets in front of the two physical Web servers.   This was done to eliminate having to purchase two certificates.  Not sure if it contributes to the issue or not.
    LVL 31

    Expert Comment

    That's fine as long as it doesn't violate the licensing for the cert vendor - most are okay with doing that but some don't like it.  They would need the whole chain installed on that load balancer then.

    As a side note, if this is going to be sensitive information like PII or PCI, then hopefully they are using an internal certificate on the servers so they can encrypt the last hop between the server and the balancer, otherwise they may be in violation of policy/standards if the last hop is not encrypted.

    Author Comment

    One last question. . . what is meant by ". . the whole chain installed. . . "?
    LVL 31

    Expert Comment

    Often there is more than one CA certificate, especially from commercial vendors.  There may be 2 or 3 (I've seen up to 5) CA's in the issuing chain before it gets to the "end entity" (e.g. SSL server, email user, etc.) certificate.

    The following is somewhat common:
    Root CA
      -- Issuing CA
         -- Your Server

    In IE, there are two different CA trust stores - the root store and the intermediate store.  So the Root CA would be in the root store of the server and clients, but the Issuing CA intermediate (aka subordinate) is not necessarily there since there may be multiple intermediate CA's under the same root (e.g. if a root certificate provider offers resellers the ability to resell certificates under its root).  MS used to include intermediates but has stopped adding more to their program because the list just got too big - those that were already accepted are maintained but there will be no new members to that group like there are for the root certificates.

    So each tier signs the next tier, and the client needs to validate that "chain" up to the top (the root) - if it cannot get the intermediate certs or does not trust the root then the chain gets broken during signature validation.  In order to fix this, the client could install that intermediate cert, but that would be cumbersome, so it is typically the web server's responsibility to have the root and all intermediate certificates in the chain installed so it can provide them to the client.  The digital signatures make it so the source is not as important since the signature is what is being validated - either it was issued from the root or it was not.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
    I recently found myself in a Corporate Situation where the client had requested blocking access to any and all websites except his own Domain? Easy? I am sure this would be your answer but their requirement was, this has to be done without using…
    Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now