This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Intermediate certification authorities chain fails

  • 4 replies
  • 16 have this problem
  • 2 views
  • Last reply by tosiara

tosiara
tosiara
more options

After importing RootCA FireFox still can not load a web page signed by intermediate certification authorities.

Root CA certificate: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/971D3486FC1E8E6315F7C6F2E12967C724342214.crt

Web Site: https://id.rcsc.lt/

Certificate Chain should look like:

RootCa 

PolicyCA
  IssuingCA
    id.rcsc.lt


I have tried IE and Opera and both working fine and detecting certificate chain. Only need to import RootCA cert to establish trust

Why FireFox does not work as expected?

After importing RootCA FireFox still can not load a web page signed by intermediate certification authorities. Root CA certificate: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/971D3486FC1E8E6315F7C6F2E12967C724342214.crt Web Site: https://id.rcsc.lt/ Certificate Chain should look like: RootCa PolicyCA IssuingCA id.rcsc.lt I have tried IE and Opera and both working fine and detecting certificate chain. Only need to import RootCA cert to establish trust Why FireFox does not work as expected?

All Replies (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

A web server needs to send the full chain of intermediate certificates.
Importing the root certificate is not enough.
If the server doesn't send the certificate then you need to install (import) that intermediate certificate as well.

tosiara
tosiara Question owner
more options

So how then IE and Opera receive full certificate chain? And why FireFox does not receive it?

tosiara
tosiara Question owner
more options

I think I got why IE and Opera works fine

Inside IssuingCA certificate there is a link to upper CA certificate:

[Authority Information Access] OCSP: URI: http://ocsp.rcsc.lt/ocspresponder.rcsc CA Issuers: URI: http://csp.rcsc.lt/aia/VI%20Registru%20Centras%20RCSC%20(PolicyCA)(2).crt

IE and Opera retrieve PolicyCA certificate and then the same way retrieve RootCA certificate. That how they verify trust

The question remains: why FireFox can't do the same?

tosiara
tosiara Question owner
more options

Still same in FF5