Internally Generated SSL Cert works with IE, does not work with FireFox


We have a problem with a Web SSL certificate (created internally using a Windows 2008 R2 Microsoft-based PKI) that authenticates just fine with IE 6, 7 and 8, but does not work with any version 3* or 4* of FireFox.

We have a purchased SSL certificate for this site from VeriSign, we are trying to replace it with our internally generated certificate.  Surprisingly, if we change out the certificate to the VeriSign certificate, it has no problems getting to the site with any version of IE or FireFox or Opera.  

The behavior we see is that with the MS-based (internally generated) certificate, the https:// link to the site DOES work sometimes, but DOES NOT work at other times.  It is intermittent.  The error is gives is:
‘Secure Connection Failed.  An error occurred during a connection to  Certificate contains unknown critical extension.  (error code: sec_error_unknown_critical_extension).  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.  Please contact the web site owners to inform them of this problem.  Alternatively, use the command found in the help menu to report this broken site.’

The issue is not with FireFox needing to import and install the certificate in it’s store, the above error occurs even before Firefox normally prompts you to install/import the cert.

Thank you.  msyed1.
Who is Participating?
lchomyczConnect With a Mentor Commented:
There is an add o for firefox called IE Tab 2. You can find this by going to the Firefox addons tab and looking in extensions. Works very well. There may be some issue depending on which version Firefox you are using. I use 4.0 and it works well. It does show that it may not be compatible when upgrading Firefox, but it works.

Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
It doesn't like something in your cert - which happens.

Netscape have their own set of extensions for such things - can you post the cert file (just the cert, not the private key) and we can check?
msyed1Author Commented:

Can you please tell me how to make sure that the private key is not in there (imbedded) in the certificate ??

The certificate I have has a .cer extension.  Does .cer file NOT contain the private key ??  I just want to make sure before I send it out.  

Thanks for your help.  msyed1
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
cer files don't have the secret key - just p12 (pfx) files.
but to make sure - browse to the site in ie, click the padlock, and save the cert from there. that is just the publicly visible (ie no secret key) info.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.