Internally Generated SSL Cert works with IE, does not work with FireFox

Posted on 2011-05-03
Medium Priority
Last Modified: 2012-06-27

We have a problem with a Web SSL certificate (created internally using a Windows 2008 R2 Microsoft-based PKI) that authenticates just fine with IE 6, 7 and 8, but does not work with any version 3* or 4* of FireFox.

We have a purchased SSL certificate for this site from VeriSign, we are trying to replace it with our internally generated certificate.  Surprisingly, if we change out the certificate to the VeriSign certificate, it has no problems getting to the site with any version of IE or FireFox or Opera.  

The behavior we see is that with the MS-based (internally generated) certificate, the https:// link to the site DOES work sometimes, but DOES NOT work at other times.  It is intermittent.  The error is gives is:
‘Secure Connection Failed.  An error occurred during a connection to xxx.xxxxxx.com.  Certificate contains unknown critical extension.  (error code: sec_error_unknown_critical_extension).  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.  Please contact the web site owners to inform them of this problem.  Alternatively, use the command found in the help menu to report this broken site.’

The issue is not with FireFox needing to import and install the certificate in it’s store, the above error occurs even before Firefox normally prompts you to install/import the cert.

Thank you.  msyed1.
Question by:msyed1
  • 2

Accepted Solution

lchomycz earned 668 total points
ID: 35515025
There is an add o for firefox called IE Tab 2. You can find this by going to the Firefox addons tab and looking in extensions. Works very well. There may be some issue depending on which version Firefox you are using. I use 4.0 and it works well. It does show that it may not be compatible when upgrading Firefox, but it works.

LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1332 total points
ID: 35706004
It doesn't like something in your cert - which happens.

Netscape have their own set of extensions for such things - can you post the cert file (just the cert, not the private key) and we can check?

Author Comment

ID: 35706767

Can you please tell me how to make sure that the private key is not in there (imbedded) in the certificate ??

The certificate I have has a .cer extension.  Does .cer file NOT contain the private key ??  I just want to make sure before I send it out.  

Thanks for your help.  msyed1
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 1332 total points
ID: 35708416
cer files don't have the secret key - just p12 (pfx) files.
but to make sure - browse to the site in ie, click the padlock, and save the cert from there. that is just the publicly visible (ie no secret key) info.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month15 days, 17 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question