Internally Generated SSL Cert works with IE, does not work with FireFox

Posted on 2011-05-03
Last Modified: 2012-06-27

We have a problem with a Web SSL certificate (created internally using a Windows 2008 R2 Microsoft-based PKI) that authenticates just fine with IE 6, 7 and 8, but does not work with any version 3* or 4* of FireFox.

We have a purchased SSL certificate for this site from VeriSign, we are trying to replace it with our internally generated certificate.  Surprisingly, if we change out the certificate to the VeriSign certificate, it has no problems getting to the site with any version of IE or FireFox or Opera.  

The behavior we see is that with the MS-based (internally generated) certificate, the https:// link to the site DOES work sometimes, but DOES NOT work at other times.  It is intermittent.  The error is gives is:
‘Secure Connection Failed.  An error occurred during a connection to  Certificate contains unknown critical extension.  (error code: sec_error_unknown_critical_extension).  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.  Please contact the web site owners to inform them of this problem.  Alternatively, use the command found in the help menu to report this broken site.’

The issue is not with FireFox needing to import and install the certificate in it’s store, the above error occurs even before Firefox normally prompts you to install/import the cert.

Thank you.  msyed1.
Question by:msyed1

    Accepted Solution

    There is an add o for firefox called IE Tab 2. You can find this by going to the Firefox addons tab and looking in extensions. Works very well. There may be some issue depending on which version Firefox you are using. I use 4.0 and it works well. It does show that it may not be compatible when upgrading Firefox, but it works.

    LVL 33

    Assisted Solution

    by:Dave Howe
    It doesn't like something in your cert - which happens.

    Netscape have their own set of extensions for such things - can you post the cert file (just the cert, not the private key) and we can check?

    Author Comment


    Can you please tell me how to make sure that the private key is not in there (imbedded) in the certificate ??

    The certificate I have has a .cer extension.  Does .cer file NOT contain the private key ??  I just want to make sure before I send it out.  

    Thanks for your help.  msyed1
    LVL 33

    Assisted Solution

    by:Dave Howe
    cer files don't have the secret key - just p12 (pfx) files.
    but to make sure - browse to the site in ie, click the padlock, and save the cert from there. that is just the publicly visible (ie no secret key) info.

    Featured Post

    Integrate social media with email signatures

    Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

    Join & Write a Comment

    The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now