"This Connection is Untrusted" error message.
Hi, I am having this particular problem with a single site as of now. The site is https://www.sbicapsec.com (A banking/stock site).
I tried suggestions from the following articles 1. https://support.mozilla.org/en-US/kb/enable-ssl-fix-cannot-connect-securely-error?esab=a&as=aaq Result: It did not solve
2. https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message Because I got the error that 'The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)' Therefore, the given solution in that article also failed to solve.
Now, I did not try the last solution: 'Bypassing the warning' And that's because, the site works in other browsers i.e IE and Chrome. Therefore, I don't trust any certificate that I have to add manually to work. It would have been a different case had the other browsers showed the same problem. Also, prior to this version of FF, the previous version worked the perfect. But surprisingly that does not work either now. And I don't know why.
Thanks for any possible fix.
Chosen solution
Hi, I was able to download the appropriate certificate from here: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
I got the link searching through google and ending up in one of your comment :)
Thank you.
But since it checks the server and not our PCs, the test shows missing certificate, I think. Nevertheless, I imported it into firefox and the site opens. The other browsers never had problems. I also installed it in the PC but then I thought I should not have. Deleted the cert but that reappeared. Don't know how!
Anyway, I hope all these manual certificate additions are perfectly a safe practice for normal users.
Also, when you said FF don't come with intermediate certificates pre-packed, I presume, IE and Chrome does because they don't create this hassle. These simple stuff might discourage people to not use FF who are not much technical or active enough to solve it.
Regards.
Read this answer in context 👍 0All Replies (12)
You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
- Click the link at the bottom of the error page: "I Understand the Risks"
Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
- Click the "View..." button and inspect the certificate and check who is the issuer of the certificate.
You can see more Details like intermediate certificates that are used in the Details pane.
If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".
Note that some firewalls monitor (secure) connections and that programs like Sendori or Fiddler (FiddlerRoot) can intercept connections and send their own certificate instead of the website's certificate.
Yes, I can check certificate details. And the information there looks to be ok. But the question is, how do I trust that it is correct when a browser couldn't? And would be advisable to add an exception because firefox tells me that a legitimate bank or any other organisation would not ask me to that.
Also when I check the site on https://www.networking4all.com, I get this reply:
"Unable to get the local issuer of the certificate. The issuer of a locally looked up certificate could not be found. Normally this indicates that not all intermediate certificates are installed on the server."
Therefore, until a browser itself tells me that my connection is secure, it is unlikely that I may add certificate exception for such sensitive site. Hope, there is other workaround than just to add an exception until maybe FF fixes that. Thank you for your help.
That website doesn't send the required intermediate certificate .
- VeriSign Class 3 Extended Validation SSL CA
You can download and save the intermediate certificate from this web page and install the certificate via "File > Open File" of "Firefox menu button > New Tab > Open File". It is the first certificate on this VeriSign page:
Copy the base64 encoded certificate text that starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----" to the clipboard after having selected the full text with the mouse.
Open a plain text editor like Notepad and paste the certificate text of the intermediate certificate that you have placed on the clipboard in the editing area.
Use "Save File as" and set the File type to "All files" and save the certificate text to a .cer file.
Select "All files" when saving the file to avoid getting a hidden .txt file extension (.cer.txt) appended.
Import the saved certificate in the Firefox Certificate Manager.
- Tools > Options > Advanced > Certificates/Encryption: View Certificates > Authorities > Import
Do not set any trust bits when prompted as those are only required for root certificates and should never be set for a intermediate certificate like this one.
I am not sure what I did wrong but it is not working for me. But to cross check, this is what I did. Please point out the mistake, if there is any. 1. Went to the VeriSign website and copied the content of the first 'box' with the code (Ctrl+C). 2. Opened notepad, pasted the content (Ctrl+V) 3. On the notepad, Clicked File>Save As> abc.cer [Selected File Types set as 'All Files', Encoding: ANSI]
4. Opened FIrefox>New Tab>Open File>Selected abc.cer >Open.
- It opens the content on the new tab
So anyway, 5. Then I went Firefox>Options>Advanced>Certificates>View Certificates>Authorities>Import>Selected abc.cer
- No message shown so I clicked Ok>ok.
6. Exited firefox, tried to open the site and the same error shows up.
Thanks :)
Firefox should offer to install the certificate if you use Open File.
You can right click the abc.cer file in Windows Explorer to verify that it is a CER file and not a text file.
When you import this certificate then Firefox should have shown a window to confirm the import and offer a choice to set some trust bits.
Do you see this certificate under the VeriSign heading on the Authorities tab?
- VeriSign Class 3 Extended Validation SSL CA
Hi, I found out where I was doing wrong. While selecting the whole text and copying and then pasting to a notepad, it leaves a blank space just before "-----END CERTIFICATE-----". Removing that space and saving the file, and then proceeding as said above (Options>Advanced>certificate>authorities>Import), I am provided with a message. But before proceeding further, I would like to know if I should select all the three boxes that asks whether I should trust the certificate for 'whatever' purpose?
Also, I would like to say that I was not able to install the certificate via New Tab>Open File. That actually opens the content of the certificate (the text).
Finally, I also noticed that this certificate's SHA1 fingerprint is not same as that of the one which is presented by firefox to put in exception. Wouldn't that be problem? What is the difference between the two?
Thank you for your help. Much appreciated.
I am providing some screenshots 1. The certificate shown when I go to 'add exception'
2. The certificate content is shown when I click 'new tab>open file'. It does not install
3. The new certificate details
4. When importing the new certificate.
Sorry about the confusion.
Your third screenshot show the wrong intermediate certificate (VeriSign Class 3 Public Primary Certification Authority - G5).
You need the other (second) certificate on that page in this case.
I had saved the two certificates on that page with the wrong name.
- first certificate: VeriSign Class 3 Public Primary Certification Authority - G5
- second certificate: VeriSign Class 3 Extended Validation SSL CA (you need this one)
I am sorry to inform that the second certificate do not work. I presume, that is because the naming had slight variation in that the new certificate has 'SGC' in it while the one provided by the site does not have it. The validity of the certificate however, is same along with all other credentials except the thumbprint/sha1/md5 signatures.
I also tried adding both the certificates. Same result. Don't work.
Later I deleted cert8.db from Mozilla folder so that it reverts back to default. I would like to have further guidance. Thank you.
Regards.
Chosen Solution
Hi, I was able to download the appropriate certificate from here: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
I got the link searching through google and ending up in one of your comment :)
Thank you.
But since it checks the server and not our PCs, the test shows missing certificate, I think. Nevertheless, I imported it into firefox and the site opens. The other browsers never had problems. I also installed it in the PC but then I thought I should not have. Deleted the cert but that reappeared. Don't know how!
Anyway, I hope all these manual certificate additions are perfectly a safe practice for normal users.
Also, when you said FF don't come with intermediate certificates pre-packed, I presume, IE and Chrome does because they don't create this hassle. These simple stuff might discourage people to not use FF who are not much technical or active enough to solve it.
Regards.
You should contact the website to tell them about this missing intermediate certificate.
mm I am not sure if I am eligible enough to suggest them on security matters. However, I may report about the certificate chain error encountered in Mozilla only. IE/Chrome's behaviour is fine and now Mozilla is good too. Also, they suggest us to use IE and recommend us to change to IE if we are using FF/Chrome. I guess business communities find IE easier although it has certain problems in rendering. Anyway, thank you for your help.
Regards.