This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Untrusted connection with a certificate signed by an Enterprise CA

  • 2 replies
  • 3 have this problem
  • 16 views
  • Paskiausią atsakymą parašė cor-el

more options

I have a site hosted on IIS that is secured using a standalone enterprise CA. The CA certificate is stored in both the current user and local machine Trusted Root Certification Authorities stores, and the site works in IE. If I view the certificate in IE, I can see that my CA issued the site cert, and that both are trusted. FF 24 gives me:

ice71.icelab.computer-talk.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

And the window to add an exception says:

Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.

If I view the certificate, the certificate hierarchy doesn't show the issuer (it does appear in IE), but the "issued by" details on the general tab DOES have the common name of my CA. This common name matches the CN of the cert that's in the Trusted Root CAs store.

Any idea why this won't validate?

I have a site hosted on IIS that is secured using a standalone enterprise CA. The CA certificate is stored in both the current user and local machine Trusted Root Certification Authorities stores, and the site works in IE. If I view the certificate in IE, I can see that my CA issued the site cert, and that both are trusted. FF 24 gives me: ice71.icelab.computer-talk.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) And the window to add an exception says: Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature. If I view the certificate, the certificate hierarchy doesn't show the issuer (it does appear in IE), but the "issued by" details on the general tab DOES have the common name of my CA. This common name matches the CN of the cert that's in the Trusted Root CAs store. Any idea why this won't validate?

All Replies (2)

more options

Does this site work with a www. prefix?

https://www.ice71.icelab.computer-talk.com

The standaloane server seems to be missing the intermediate certificate (RapidSSL CA) that is required to build a certificate chain that ends with a built-in root certificate.

You can download and install the first certificate from this site:

https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem

You can Copy and Paste the certificate text of the intermediate certificate to a .cer text file and import the certificate in the Certificate Manager or via Firefox > New Tab > Open File. DO NOT set any trust bits, those are only required for root certificates and should never be set for intermediate certificates.

If that doesn't work then do the following :

The file cert8.db in your profile folder may have become corrupted. Delete this file while Firefox is closed.

Open your profile folder:

  • At the top of the Firefox window, click on the Firefox button, go over to the Help menu and select Troubleshooting Information. The Troubleshooting Information tab will open.
  • Under the Application Basics section, click on Show Folder. A window with your profile files will open.

Note: If you are unable to open or use Fire​fox, follow the instructions in Finding your profile without opening Firefox.

  • At the top of the Firefox window, click on the Firefox button and then select Exit
  • Click on the file named cert8.db.
  • Press Delete.
  • Restart Firefox.

cert8.db will be recreated when you restart Firefox. This is normal.

Report back if it Works ! Thanks!

Modified by SHASHANK ROY

more options

Make sure that you install all required intermediate certificates on the server to make it possible for Firefox to build the certificate chain that ends with a root certificate to prevent this untrusted error message.

The issuer of this certificate is icelabCA, no further details and I don't know where this certificate comes from and what would needs to be installed.