only firefox has certificate issue "unknown_issuer" with self-signed certificate
We have various Apache instances that host internal sites.
We have a Server 2012 Enterprise Certificate Authority with which we sign internal certificates. I have created a batch of new certificates for various sites, and Chrome, IE10+ as well as Opera and Safari have no issue with the self-signed cert.
The certificate chain is good, I used various tools to verify that the certificate is good.
Digicerts Tools, as well as browser and server loaded certificates. Please see the attached screenshots
Firefox claims the "unknown_issuer" error. But as you can see from the screenshots , the issuer is there and a complete chain is available.
What am I missing? We utilize Firefox in our environment quite a bit, Chrome is an alternative, but I'd liek to understand what is going on?
Chosen solution
jscher2000, you sent me down the right path. THANK YOU
openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.
What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt
but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like
BEGIN PKCS7-----
MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....
END PKCS7-----
which Apache cannot read.
The additional step is to convert the DER type to a PEM type, and then print the certificates:
openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt
now the crt looks like: subject=****intermediate issuer=****intermediate
BEGIN CERTIFICATE-----
MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....
END CERTIFICATE-----
subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....
END CERTIFICATE-----
I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root
Read this answer in context 👍 0All Replies (5)
I'll start with the most common thing:
Is the server configured to send the intermediate certificates? Firefox either needs to receive them from the server, or to have previously received them from another server. Unlike some other browsers, Firefox will not seek them from other sources.
Ha, I knew I forgot to include that. Yes, we declare the chain certificate in the apache config.
SSLCertificateFile "/apps/$SiteDir/conf/certs/$Cert.cer" SSLCertificateKeyFile "/apps/$SiteDir/conf/certs/$Cert.key" SSLCertificateChainFile "/apps/intermediate.cer"
Hmm, I would expect to see the intermediate and root certs in the Digicert screen shot if the server is sending them. Am I misunderstanding how that tool works? What if you point it at another site for comparison.
Did you check the certificate chain in Firefox and verified that the topmost in the chain has the appropriate trust bit(s) set if that isn't a built-in trusted root certificate?
Chosen Solution
jscher2000, you sent me down the right path. THANK YOU
openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.
What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt
but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like
BEGIN PKCS7-----
MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....
END PKCS7-----
which Apache cannot read.
The additional step is to convert the DER type to a PEM type, and then print the certificates:
openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt
now the crt looks like: subject=****intermediate issuer=****intermediate
BEGIN CERTIFICATE-----
MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....
END CERTIFICATE-----
subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....
END CERTIFICATE-----
I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root