Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox no longer trusts my internal certificate authority used for internal sites on our domain.

  • 11 replies
  • 53 have this problem
  • 2 views
  • Paskiausią atsakymą parašė tsmith35

more options

The error: SEC_ERROR_UNKNOWN_ISSUER.

The certificates use sha256 for their signature algorithm.

Chrome and Edge both see the certificates as valid.

This is a recent change, I believe starting with Firefox 55.

Thanks for any help with this!

The error: SEC_ERROR_UNKNOWN_ISSUER. The certificates use sha256 for their signature algorithm. Chrome and Edge both see the certificates as valid. This is a recent change, I believe starting with Firefox 55. Thanks for any help with this!

Chosen solution

See also security.enterprise_roots.enabled on the about:config page.

Skaityti atsakymą kartu su kontekstu 👍 22

All Replies (11)

more options

If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error.

Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now.

This thread has an example of how to get a signing certificate imported: sec_error_bad_signature only via proxy for https website.

Does that sound familiar? Does it work for yours?

more options

Chosen Solution

See also security.enterprise_roots.enabled on the about:config page.

more options

jscher2000 said

If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error. Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now. This thread has an example of how to get a signing certificate imported: sec_error_bad_signature only via proxy for https website. Does that sound familiar? Does it work for yours?

Thank you for your answer!

This was my initial response to user's having issues and it does fix the problem, but it requires addressing it on a per-user basis, which is not ideal for a larger organization.

Setting security.enterprise_roots.enabled to true did the trick, but is still on a per-user basis.

My main confusion with this is that it used to trust our CA without this intervention. I don't use Firefox as often as I should, but I'm almost certain that this changed with the last version update (55), but I didn't see anything related in the update notes.

Does anyone know if something changed recently that would affect how Firefox treats enterprise CA's?

more options

This is great! Can anyone tell me what the significance of that setting is? How's it work, what's it control? Also, is there something similar for Chrome?

more options

Hi end.user, when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari.

This can help in cases where your computer is managed by the company and certain certificates needed to work with a proxy server or other internal servers are difficult to impossible to import to Firefox's own certificate file.

But this also bypasses Firefox's protection against malware that inserts fake certificates in the system certificate store, so it's not a risk-free choice.

more options

jscher2000 said

...when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari.

This doesn't seem to be the case for MacOS 10.13 on FF 57+ ... setting security.enterprise_roots.enabled still isn't consulting trusted certificates in the keychain (significant for local development with a large SAN certificate covering many domains)

more options

Hi benpbolton, what error code do you get for the certificate? Usually you need to click the Advanced button to view that more detailed information.

more options

You can export the root certificate in a browser that works and import this certificate in the Firefox Certificate Manager. Set the trust bit for websites when prompted if the certificate is self-signed and supposed to work as a root certificate.

  • Options/Preferences -> Privacy & Security -> Certificates: View Certificates

  • bug 1300420 - macOS (Mac OS X) platform support for trusting enterprise roots

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
)

more options

This worked for me:

In Firefox, browse to the about:config page If prompted, click "I accept the risk!" to continue In Search bar above "Preference Name", type the word enterprise If value of security.enterprise_roots.enabled is "false", right-click the line and select "Toggle" The line should read: security enterprise_roots.enabled ... modified ... boolean ... true

Try to browse to a site such as Google When presented with the SEC_ERROR_UNKNOWN_ISSUER page, click the Advanced button Scroll down to the bottom of the page - you're searching for "Certificate chain:" Under "Certificate chain:", highlight everything from the LAST "-----BEGIN CERTIFICATE-----" the the LAST "-----END CERTIFICATE-----" Ctrl-C to copy text to clipboard Open a text editor (such as Notepad) and paste the text inside Save the file as Cert.cer (you may need to rename the file if Notepad appends ".txt" to the end of the filename)

Back in Firefox, click the "three bar" button at the top right of the screen Choose "Options" At left side of window that opens, click on "Privacy & Security" Scroll to the bottom of the page Click on the "View Certificates" button Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window

You should be able to browse to other sites now If you have any problems, restart Firefox and try again

more options

tsmith35 said

Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window

Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.

more options

jscher2000 said

Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.

Yes, true. My situation involved using Firefox within a corporate environment (proxies, firewall, etc). I wouldn't expect to have to do such a thing in a home or SOHO environment.