This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Certificate error using a SHA-2 certificate

  • 8 replies
  • 4 have this problem
  • 1 view
  • Last reply by christ1

more options

When I go to a site that uses a SHA-2 certificate, I get a certificate error even though the certificate is the correct one for the site.

When I go to a site that uses a SHA-2 certificate, I get a certificate error even though the certificate is the correct one for the site.

All Replies (8)

more options

hello MeanKty, could you provide the url where this is happening and the exact error code you're receiving?

more options

This is the situation. I work for a web hosting company and one of our customers wanted to change their certificate to the SHA-2 certificate since Google is removing support for the SHA-1 in December. I had ordered the SHA-2 algorithm certificate and installed it. When users tried to go to the site they would get a certificate error (and I did test it in house and got the same result). Since 20% of their customers use Firefox, I had to go back to the SHA-1 certificate. I have a certificate that will be installed on Wednesday that will have the same issue if you want to see it then.

more options

hello, there are various reasons why a certificate might fail to verify. what's the error code that is shown on the error page under technical details you're receiving? maybe this list of error codes can already give you a clue: https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates#Error_Codes_in_Firefox_2

more options

I'm working on trying to get the error code so I can see if what you posted would help. When I get that done, I'll let you know if it helped.

more options

Ok, I have the screenshots of what we get. Unfortunately we don't get any error codes, just a certificate error. I've also included the certificate information. It is showing the correct information but for some reason it cannot verify it. We don't have any issues in Chrome or Internet Explorer with the same certificate.

more options

hello, this means that the intermediate certificate isn't installed properly. your server has to present a full chain from the server cert to the intermediate CA to the root CA that is trusted in the browser. for the installation instructions please refer to Comodo's documentation

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/683/0/firefox-error-code-sec_error_unknown_issuer

more options

If the intermediate certificate isn't installed correctly, then why would it work correctly on Internet Explorer, Google Chrome and Safari? The only problem we have is with the Firefox browser. I don't have a problem with installing the certificate again but I'm not sure that it is going to be a fix for this as it works with other browsers with no errors.

more options

Both, IE and Chrome use the Windows built-in certificate store. FF used it's own certificate store. If the entire trust chain cannot be verified you get the security exception prompt.

If the Windows certificate store doesn't know about the intermediate certificate, and you don't get a warning from either IE or Chrome, I'd ask myself what's wrong with these browsers?