This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Your connection is not secure ... This site uses HTTP Strict Transport Security (HSTS) ... Firefox shows the certificate only PEM encoded

  • 3 replies
  • 1 has this problem
  • 1 view
  • Last reply by pabouk

more options

When there is an error during TLS handshake and the site uses HSTS Firefox shows the server's certificate from the TLS handshake only PEM encoded and I have to use additional tools to decode it and see what is going on.

Why does not Firefox show the certificate in a human-readable form? It already has a code to present certificates that way.

Am I missing something or is the PEM encoded certificate really the only form accessible?


--- Example:

Access to Google's web cache was blocked by Cisco Umbrella. The faked certificate required for redirection to a block page was rejected in Firefox and the certificate was shown only in PEM format:

https://webcache.googleusercontent.com/search?q=cache:FJ96nGORP9wJ:https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/+&cd=1&hl=cs&ct=clnk&gl=cz&client=firefox-b

Your connection is not secure

The owner of webcache.googleusercontent.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

...

webcache.googleusercontent.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

...

https://webcache.googleusercontent.com/search?q=cache:FJ96nGORP9wJ:https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/+&cd=1&hl=cs&ct=clnk&gl=cz&client=firefox-b

Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true

Certificate chain:


BEGIN CERTIFICATE-----

MIIDZjCCAk6gAwIBAgIEW6HOoTANBgkqhkiG9w0BAQsFADBAMS4wLAYDVQQDDCVD aXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0EgZnJhLVNHMQ4wDAYDVQQKDAVD aXNjbzAeFw0xODA5MTcwNDM5MTdaFw0xODA5MjIwNDM5MTdaMHsxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMScwJQYDVQQDDB53ZWJjYWNoZS5nb29n bGV1c2VyY29udGVudC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQD0TX5IY2Xi2N7PeTFn8stAdxqBFuJ5bZB6O1ALVS11+gbmy8nEfbP/aja/g+8B R3f/JB8JaY8+O68t3oTC1Vbn0pvuvvk5vMufoPP62PcVugsI3RdeB12RVFoG+QaO ZcErUwGRR5aH25lrGE+gXa6Np0ExQBjAV4ZDoqLB6ZgBeB4816CV1NPySsXHwVFx 3h2hm25LJ+ZoL1X4hezMHvwzf9CAUorH+qanduzw5lCu60S1fk9oLUk6hpSoMV0q fXq9n4p+9VRp67yXmUwPM9g+KsSa/WAuh56bugvj5LsBK5mL/btUBRpgD/+zx2cR zB+tt4itAHnMDDqTodvDsj3tAgMBAAGjLTArMCkGA1UdEQQiMCCCHndlYmNhY2hl Lmdvb2dsZXVzZXJjb250ZW50LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA07a+29pT U7DtxDySJeU6jyVc6DCR0VAz3VZ8gj/750hw40cIXLND6XriYcO669bjOjtPwKE4 B8hJAsCEABnlVi1bgUnDYw2oFk+ZfVso0a/bHynjF4TSUmAoocxOjU6nQe5CixIF zYeqCTOs51qIW7SRaGdxD0TFnJY5o8guz3/aYgBnorcJ12q4+arNHjFRmrjh0q/j 9iItYR+CkWQigcSne4T295DataQNORkMDpCqLiQSsw8su+tqjVRyTtzVuDUQuesH 797EXZyHhXEQnjSI/tJof1M5Qgs0/HT0eCHvXG2cl+vFba9cYQSeYlGLjFpkNAWs 1SdvpLrw1k1ojQ==


END CERTIFICATE-----
BEGIN CERTIFICATE-----

MIID3DCCAsSgAwIBAgIQfFUmaREoTviv9wVXxFf5MDANBgkqhkiG9w0BAQsFADA3 MSUwIwYDVQQDDBxDaXNjbyBVbWJyZWxsYSBQcmltYXJ5IFN1YkNBMQ4wDAYDVQQK DAVDaXNjbzAeFw0xODA5MTcxOTM5NDdaFw0xODA5MjgxOTM5NDdaMEAxLjAsBgNV BAMMJUNpc2NvIFVtYnJlbGxhIFNlY29uZGFyeSBTdWJDQSBmcmEtU0cxDjAMBgNV BAoMBUNpc2NvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9E1+SGNl 4tjez3kxZ/LLQHcagRbieW2QejtQC1UtdfoG5svJxH2z/2o2v4PvAUd3/yQfCWmP PjuvLd6EwtVW59Kb7r75ObzLn6Dz+tj3FboLCN0XXgddkVRaBvkGjmXBK1MBkUeW h9uZaxhPoF2ujadBMUAYwFeGQ6KiwemYAXgePNegldTT8krFx8FRcd4doZtuSyfm aC9V+IXszB78M3/QgFKKx/qmp3bs8OZQrutEtX5PaC1JOoaUqDFdKn16vZ+KfvVU aeu8l5lMDzPYPirEmv1gLoeem7oL4+S7ASuZi/27VAUaYA//s8dnEcwfrbeIrQB5 zAw6k6Hbw7I97QIDAQABo4HaMIHXMB8GA1UdIwQYMBaAFDdBmFo9IC5nyg0yyyfJ 4MXtup/pMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1Ud DgQWBBSBis+lMcwbHfWJiscPE9K4PvXpeTBxBggrBgEFBQcBAQRlMGMwIwYIKwYB BQUHMAGGF2h0dHA6Ly9vY3NwLm9wZW5kbnMuY29tMDwGCCsGAQUFBzAChjBodHRw Oi8vY2FjZXJ0cy5vcGVuZG5zLmNvbS80NDg2M0FCMTU0NjQ1OEQ3Mi5jcnQwDQYJ KoZIhvcNAQELBQADggEBACFLQR9MK/TNZfDIAzII+hfkM5v9cjmb7REHCsK+sr/w /Lxt95T65RvqMMLa/DmN4jjRK9nBPIeVeHoupUbY2wygAG8tyurjCBLSV+Oc4PnW PqQ0/u2na8M4GUSgtjFjxgkhwsSAt/O6KINNJs5jMsxTW0X+Y1l1WHcGOWahQOtp dt7LBdsrNOiclihcOWW0Pf9yLo15g+8hMJcQD7g+iTCe2aXi+IKm1+vvAil8ui9Y 4WJv+pxQgbHodbQ4R4OOf8P30OOQtY3MsVpqZKB1eLF+ef7EMSAuzov+Lr57EGc4 6Tf5Ja2rz7eD2e9HwyQfYZKoSoQ7x4w8Nyl52LD1VkI=


END CERTIFICATE-----
BEGIN CERTIFICATE-----

MIIEgTCCA2mgAwIBAgIJBEhjqxVGRY1yMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE2 MDYyODE1NDAxMVoXDTIxMDYyODE1NDAxMVowNzElMCMGA1UEAwwcQ2lzY28gVW1i cmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UECgwFQ2lzY28wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCvR/Tm+U0VahUptIKAkU7BwSKgO1HO0CMdZXCO OLFh9+pCoG1Ly7UiudFAumlfA4kzs1SS9xR2ax0TYIQG84hJsoOPSaZU6wkWWJDq mZVD4+LSPZLUuMWbgWy8/BuqKKL32JjInU/LRXF3AaapHT6eprR5vv5MYSWzFv4r QzhMXy8i8eK48EKsQyf3UBUHdUmOQFBYuRkYlKdave0ipxjMUYKh6DwJX+5psl7S lwHxzKxppwBqZhI5GiuWIs4RhuB+1hOr1zuAb9Oy8WNryXTijXQJ+thl74oo0CoV XS2nZQyDk1X2CUOpTy2Kj4W4ucd4Y1jRp37FkWQwivWq5DU5AgMBAAGjggGUMIIB kDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATBSBgNVHSAESzBJ MEcGCisGAQQBCRUBHQAwOTA3BggrBgEFBQcCARYraHR0cDovL3d3dy5jaXNjby5j b20vc2VjdXJpdHkvcGtpL3BvbGljaWVzLzAdBgNVHQ4EFgQUN0GYWj0gLmfKDTLL J8ngxe26n+kwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3d3dy5jaXNjby5jb20v c2VjdXJpdHkvcGtpL2NybC9jaXNjb3VtYnJlbGxhcm9vdC5jcmwwgYcGCCsGAQUF BwEBBHsweTBJBggrBgEFBQcwAoY9aHR0cDovL3d3dy5jaXNjby5jb20vc2VjdXJp dHkvcGtpL2NlcnRzL2Npc2NvdW1icmVsbGFyb290LmNlcjAsBggrBgEFBQcwAYYg aHR0cDovL3BraWN2cy5jaXNjby5jb20vcGtpL29jc3AwHwYDVR0jBBgwFoAUQ3MA 3iS6QBpAVCx9fNUASIkMcKQwDQYJKoZIhvcNAQELBQADggEBAAhlqdX9AAHOyNPv KA44ulyoprNnXp62XeYnlKRgCPvShWW2eDIMOePS8+RvuPGJdtAm1YoPa9hn0WO2 L+jHmnob7so2yc3c02uio9Q4VqPCuA1T/RmmXerpvHtxx1FfUhboBoiGvP/dnFTX DF0lzLEllP3tYZOH0wjsTjhPERN60zR29lKHludW9ZRc5Fkxj5ZwALvAZ2Iqb0HG DwIhJJjXUpJjZXQPRGQ8N+VDx2UqTf74g/rpKcALUERGFrrJMO0Z7yaiqVsVQ9/J 4FAJCjB6fkivL5SvmDWCB1ZeiRc2ud5qm/II0OuGdtX+mo0/Lo9Lh9Tdg2LxUxEn 7cAtMK0=


END CERTIFICATE-----
When there is an error during TLS handshake and the site uses HSTS Firefox shows the server's certificate from the TLS handshake only PEM encoded and I have to use additional tools to decode it and see what is going on. Why does not Firefox show the certificate in a human-readable form? It already has a code to present certificates that way. Am I missing something or is the PEM encoded certificate really the only form accessible? --- Example: Access to Google's web cache was blocked by Cisco Umbrella. The faked certificate required for redirection to a block page was rejected in Firefox and the certificate was shown only in PEM format: https://webcache.googleusercontent.com/search?q=cache:FJ96nGORP9wJ:https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/+&cd=1&hl=cs&ct=clnk&gl=cz&client=firefox-b Your connection is not secure The owner of webcache.googleusercontent.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate. ... webcache.googleusercontent.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER ... https://webcache.googleusercontent.com/search?q=cache:FJ96nGORP9wJ:https://mailchimp.com/help/set-up-custom-domain-authentication-dkim-and-spf/+&cd=1&hl=cs&ct=clnk&gl=cz&client=firefox-b Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true Certificate chain: -----BEGIN CERTIFICATE----- MIIDZjCCAk6gAwIBAgIEW6HOoTANBgkqhkiG9w0BAQsFADBAMS4wLAYDVQQDDCVD aXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0EgZnJhLVNHMQ4wDAYDVQQKDAVD aXNjbzAeFw0xODA5MTcwNDM5MTdaFw0xODA5MjIwNDM5MTdaMHsxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMScwJQYDVQQDDB53ZWJjYWNoZS5nb29n bGV1c2VyY29udGVudC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQD0TX5IY2Xi2N7PeTFn8stAdxqBFuJ5bZB6O1ALVS11+gbmy8nEfbP/aja/g+8B R3f/JB8JaY8+O68t3oTC1Vbn0pvuvvk5vMufoPP62PcVugsI3RdeB12RVFoG+QaO ZcErUwGRR5aH25lrGE+gXa6Np0ExQBjAV4ZDoqLB6ZgBeB4816CV1NPySsXHwVFx 3h2hm25LJ+ZoL1X4hezMHvwzf9CAUorH+qanduzw5lCu60S1fk9oLUk6hpSoMV0q fXq9n4p+9VRp67yXmUwPM9g+KsSa/WAuh56bugvj5LsBK5mL/btUBRpgD/+zx2cR zB+tt4itAHnMDDqTodvDsj3tAgMBAAGjLTArMCkGA1UdEQQiMCCCHndlYmNhY2hl Lmdvb2dsZXVzZXJjb250ZW50LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA07a+29pT U7DtxDySJeU6jyVc6DCR0VAz3VZ8gj/750hw40cIXLND6XriYcO669bjOjtPwKE4 B8hJAsCEABnlVi1bgUnDYw2oFk+ZfVso0a/bHynjF4TSUmAoocxOjU6nQe5CixIF zYeqCTOs51qIW7SRaGdxD0TFnJY5o8guz3/aYgBnorcJ12q4+arNHjFRmrjh0q/j 9iItYR+CkWQigcSne4T295DataQNORkMDpCqLiQSsw8su+tqjVRyTtzVuDUQuesH 797EXZyHhXEQnjSI/tJof1M5Qgs0/HT0eCHvXG2cl+vFba9cYQSeYlGLjFpkNAWs 1SdvpLrw1k1ojQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIID3DCCAsSgAwIBAgIQfFUmaREoTviv9wVXxFf5MDANBgkqhkiG9w0BAQsFADA3 MSUwIwYDVQQDDBxDaXNjbyBVbWJyZWxsYSBQcmltYXJ5IFN1YkNBMQ4wDAYDVQQK DAVDaXNjbzAeFw0xODA5MTcxOTM5NDdaFw0xODA5MjgxOTM5NDdaMEAxLjAsBgNV BAMMJUNpc2NvIFVtYnJlbGxhIFNlY29uZGFyeSBTdWJDQSBmcmEtU0cxDjAMBgNV BAoMBUNpc2NvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9E1+SGNl 4tjez3kxZ/LLQHcagRbieW2QejtQC1UtdfoG5svJxH2z/2o2v4PvAUd3/yQfCWmP PjuvLd6EwtVW59Kb7r75ObzLn6Dz+tj3FboLCN0XXgddkVRaBvkGjmXBK1MBkUeW h9uZaxhPoF2ujadBMUAYwFeGQ6KiwemYAXgePNegldTT8krFx8FRcd4doZtuSyfm aC9V+IXszB78M3/QgFKKx/qmp3bs8OZQrutEtX5PaC1JOoaUqDFdKn16vZ+KfvVU aeu8l5lMDzPYPirEmv1gLoeem7oL4+S7ASuZi/27VAUaYA//s8dnEcwfrbeIrQB5 zAw6k6Hbw7I97QIDAQABo4HaMIHXMB8GA1UdIwQYMBaAFDdBmFo9IC5nyg0yyyfJ 4MXtup/pMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1Ud DgQWBBSBis+lMcwbHfWJiscPE9K4PvXpeTBxBggrBgEFBQcBAQRlMGMwIwYIKwYB BQUHMAGGF2h0dHA6Ly9vY3NwLm9wZW5kbnMuY29tMDwGCCsGAQUFBzAChjBodHRw Oi8vY2FjZXJ0cy5vcGVuZG5zLmNvbS80NDg2M0FCMTU0NjQ1OEQ3Mi5jcnQwDQYJ KoZIhvcNAQELBQADggEBACFLQR9MK/TNZfDIAzII+hfkM5v9cjmb7REHCsK+sr/w /Lxt95T65RvqMMLa/DmN4jjRK9nBPIeVeHoupUbY2wygAG8tyurjCBLSV+Oc4PnW PqQ0/u2na8M4GUSgtjFjxgkhwsSAt/O6KINNJs5jMsxTW0X+Y1l1WHcGOWahQOtp dt7LBdsrNOiclihcOWW0Pf9yLo15g+8hMJcQD7g+iTCe2aXi+IKm1+vvAil8ui9Y 4WJv+pxQgbHodbQ4R4OOf8P30OOQtY3MsVpqZKB1eLF+ef7EMSAuzov+Lr57EGc4 6Tf5Ja2rz7eD2e9HwyQfYZKoSoQ7x4w8Nyl52LD1VkI= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEgTCCA2mgAwIBAgIJBEhjqxVGRY1yMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE2 MDYyODE1NDAxMVoXDTIxMDYyODE1NDAxMVowNzElMCMGA1UEAwwcQ2lzY28gVW1i cmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UECgwFQ2lzY28wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCvR/Tm+U0VahUptIKAkU7BwSKgO1HO0CMdZXCO OLFh9+pCoG1Ly7UiudFAumlfA4kzs1SS9xR2ax0TYIQG84hJsoOPSaZU6wkWWJDq mZVD4+LSPZLUuMWbgWy8/BuqKKL32JjInU/LRXF3AaapHT6eprR5vv5MYSWzFv4r QzhMXy8i8eK48EKsQyf3UBUHdUmOQFBYuRkYlKdave0ipxjMUYKh6DwJX+5psl7S lwHxzKxppwBqZhI5GiuWIs4RhuB+1hOr1zuAb9Oy8WNryXTijXQJ+thl74oo0CoV XS2nZQyDk1X2CUOpTy2Kj4W4ucd4Y1jRp37FkWQwivWq5DU5AgMBAAGjggGUMIIB kDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATBSBgNVHSAESzBJ MEcGCisGAQQBCRUBHQAwOTA3BggrBgEFBQcCARYraHR0cDovL3d3dy5jaXNjby5j b20vc2VjdXJpdHkvcGtpL3BvbGljaWVzLzAdBgNVHQ4EFgQUN0GYWj0gLmfKDTLL J8ngxe26n+kwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3d3dy5jaXNjby5jb20v c2VjdXJpdHkvcGtpL2NybC9jaXNjb3VtYnJlbGxhcm9vdC5jcmwwgYcGCCsGAQUF BwEBBHsweTBJBggrBgEFBQcwAoY9aHR0cDovL3d3dy5jaXNjby5jb20vc2VjdXJp dHkvcGtpL2NlcnRzL2Npc2NvdW1icmVsbGFyb290LmNlcjAsBggrBgEFBQcwAYYg aHR0cDovL3BraWN2cy5jaXNjby5jb20vcGtpL29jc3AwHwYDVR0jBBgwFoAUQ3MA 3iS6QBpAVCx9fNUASIkMcKQwDQYJKoZIhvcNAQELBQADggEBAAhlqdX9AAHOyNPv KA44ulyoprNnXp62XeYnlKRgCPvShWW2eDIMOePS8+RvuPGJdtAm1YoPa9hn0WO2 L+jHmnob7so2yc3c02uio9Q4VqPCuA1T/RmmXerpvHtxx1FfUhboBoiGvP/dnFTX DF0lzLEllP3tYZOH0wjsTjhPERN60zR29lKHludW9ZRc5Fkxj5ZwALvAZ2Iqb0HG DwIhJJjXUpJjZXQPRGQ8N+VDx2UqTf74g/rpKcALUERGFrrJMO0Z7yaiqVsVQ9/J 4FAJCjB6fkivL5SvmDWCB1ZeiRc2ud5qm/II0OuGdtX+mo0/Lo9Lh9Tdg2LxUxEn 7cAtMK0= -----END CERTIFICATE-----

All Replies (3)

more options

The the issuer of the certificate is OpenDNS

If you use (or want to use) this service then check their FAQs to see how you can make this work with Firefox.

You can install the Cisco Umbrella Root CA in the Firefox Certificate Manager and set the trust bit for websites when prompted.

  • Issuer O=Cisco, CN=Cisco Umbrella Root CA*

See:

more options

That encoding might be the format in which Firefox receives the certificate; I really have no idea.

I agree it would be preferable to show it in a human readable form, and I don't know why it isn't. I wonder whether there is some concern that malicious code could be generated that way??

more options

cor-el said

The the issuer of the certificate is OpenDNS ...

The certificate was just an example and I already identified it as belonging to Cisco Umbrella which uses OpenDNS certificates. My question was if I have to use and external tool to see the certificate and be able to identify it. But thank you anyway.

Modified by pabouk