• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1201
  • Last Modified:

Firefox says my SSL website is not to be trusted, but IE, Chrome, Safari do

I have a virtual private server running my ecommerce website the SSL certificate has been there for about a 2 years with another year to go before the SSL certificate expires. Lots of orders
but occasionally I get a customer saying they get a message saying not to trust the site due tbecause it can't be verified.
the message is:
"The certificate is not trusted because no issuer chain was provided."
looking at the web it talks about the Issuer chain not being specified, I use Linux with a Plesk control panel and installing the SSL certificate is very easy with no options.

and on IE, Chrome, Safari there is NO problem, works correctly.

does anyone know what I have to do to my website to get the Issuer chain recognized?
  • 3
  • 3
2 Solutions
This is not your problem as such.

This is on the client side, the cert chain is a such:

Issuer - e.g Verisign etc
CA - e.g. an intermediate cert which "should" be publicly trusted
Your cert.

Firefox should store the CA from your chain when it's provided this might be a glitch with FF.
You're probably missing an intermediate certificate from the issuer. You should have received the intermediate certificate along with your web server certificate when you bought it. You need to use openssl (best tool to do this) to 'chain' them together

Unfortunately, plesk doesn't have tools for you to do this, so you should download:

-Web server certificate
-intermediate certs issued by your CA (could be 1, 2 inter certs)
-root ca cert

into a single location, download and install openssl and follow the instructions here:


You should end up with a single chain certificate that includes all 3 certs and that's the one you'll publish
Here is additional info on actually installing from a plesk control panel:


If your cert is from a trusted authority there is very little chance one of the certs in your chain would be missing from the local cert store on your webserver however the above link should give you an easy walkthrough.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

He doesn't need help installing the cert via plesk as he's already done that. He needs to chain his cert to the intermediate certs issued by the CA.

@OP, what CA did you get the cert. from?
I am guessing you did not read the link before commenting on what the link says ?

About the Intermediate Certificate
Before you install your issued SSL certificate, you must install our intermediate certificate on your Web server. Intermediate certificates provide an added level of security because the Certification Authority (CA) does not need to issue certificates directly from the CA root certificate.

An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate, and finally ending with the SSL certificate issued to you. Such certificates are called "chained root certificates."

You can download the intermediate/root certificate bundle — (gd_bundle.crt) — from our repository.

I do think identifying the CA certs in the chain would help.

Double click on your certificate and go to the certification path tab
There you will see the chain:
At the top is the root cert and at the bottom is your cert
In the middle are the CA - Intermediate certs.

Those are the ones you want to install (if they are missing from your server)
You're right, i didn't even bother to open the link as i'd assume the info would be useless - but keep in mind what it says on that link, and what you quoted, i had already pointed out
chilternPCAuthor Commented:
Thank you people. I contacted my host and somehow the CA part was missing  so they sent that part over and I've installed it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now