为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox does not trust DigiCert Global Root CA even though trust is set

  • 1 个回答
  • 1 人有此问题
  • 1 次查看
  • 最后回复者为 cor-el

more options

I've had trouble accessing websites that use a certificate that's signed with the DigiCert Root CA. As an example, if I open up blog.mozilla.org, I get a SEC_ERROR_UNKNOWN_ISSUER.

This is somehow related to my user profile. If I create a new profile, the problem disappears.

I've tried deleting cert*.db in my profile directory to no avail. I checked about:config and I couldn't find any relevant non-default configuration.

To my surprise, if I want to manually set the trust of the certificate in the certificate manager ("Edit Trust"), it tells me that the certificate is trusted. However, if I click on "View Certificate", I get the following error: "Could not verify this certificate because the issuer is unknown."

I don't know much about CAs, but it seems to be surprising how the issuer of a Root CA could be unknown, isn't that the whole point of a Root CA that it does not need to be signed by another certificate?

The more important question: Where in my profile may I have a non-default option that causes Firefox to not trust the DigiCert Global Root CA?

I've had trouble accessing websites that use a certificate that's signed with the DigiCert Root CA. As an example, if I open up blog.mozilla.org, I get a SEC_ERROR_UNKNOWN_ISSUER. This is somehow related to my user profile. If I create a new profile, the problem disappears. I've tried deleting cert*.db in my profile directory to no avail. I checked about:config and I couldn't find any relevant non-default configuration. To my surprise, if I want to manually set the trust of the certificate in the certificate manager ("Edit Trust"), it tells me that the certificate is trusted. However, if I click on "View Certificate", I get the following error: "Could not verify this certificate because the issuer is unknown." I don't know much about CAs, but it seems to be surprising how the issuer of a Root CA could be unknown, isn't that the whole point of a Root CA that it does not need to be signed by another certificate? The more important question: Where in my profile may I have a non-default option that causes Firefox to not trust the DigiCert Global Root CA?

所有回复 (1)

more options

A root certificate can only work if is has the appropriate trust bit(s) set. For builtin root certificates this should happen automatically.

What certificate chain do you get?

Issues caused by broken certificates are normally fixed by deleting cert9.db and cert8.db and maybe cert_override.txt as well.

Other related files you can look at are pkcs11.txt and secmode.db. I don't think that prefs are involved in this case.

由cor-el于修改