Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Firefox Displays "Peer's certificate has an invalid signature." SubCA shows "Could not trust this certificate for unknown reasons"

  • 3 réponses
  • 17 ont ce problème
  • 941 vues
  • Dernière réponse par khetheri

more options

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA)

ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm)

ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm

Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature"

I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA) ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm) ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature" I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Solution choisie

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.

Lire cette réponse dans son contexte 👍 5

Toutes les réponses (3)

more options

HI khetheri,

In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible.

There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues.

# In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear. 
  1. Click I'll be careful, I promise!, to continue to the about:config page.
  2. Search for browser.xul.error_pages.expert_bad_cert and set it to true to try the certificate normally.

Looking forward to your reply!

more options

rmcguigan,

Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same.

Regards, Khetheri

more options

Solution choisie

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.