Firefox Displays "Peer's certificate has an invalid signature." SubCA shows "Could not trust this certificate for unknown reasons"
Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA)
ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm)
ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm
Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature"
I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?
Gekozen oplossing
I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.
This alternate signature algorithm is apparently not supported for use with Firefox 27.0
I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.
Dit antwoord in context lezen 👍 5Alle antwoorden (3)
HI khetheri,
In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible.
There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues.
# In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear.
- Click I'll be careful, I promise!, to continue to the about:config page.
- Search for browser.xul.error_pages.expert_bad_cert and set it to true to try the certificate normally.
Looking forward to your reply!
rmcguigan,
Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same.
Regards, Khetheri
Gekozen oplossing
I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.
This alternate signature algorithm is apparently not supported for use with Firefox 27.0
I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.