I got this response from my SSL supplier - this might help for future reference:

You will need to download the intermediate and reference it in the SSLCACertificateFile directive the GeoTrust SSL CA

Please use the below link for further instructions and guidance on this issue.

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15169

Please note this issue is caused by changes made at GeoTrust recently.

Now it works without error.

Having the same problem with IIS webservers. Importing the Intermediate CA does not resolve the issue with GeoTrust 2048bit certificates. Help?

If you visit a website that sends an intermediate certificate then Firefox will store that certificate in the Certificate Manager (cet8.db file) as "Software Security Device" and use it for future visits to websites that do not send it. If you want to test a website then you need to remove that intermediate certificate in the Certificate Manager or rename temporarily cert8.db to cert8.db.sav to remove all stored certificates.

Tools > Options > Advanced : Encryption: Certificates - View Certificates

This page sends such an intermediate certificate, so others may work after you visit this link. https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15169

Hi,

I'm from ClickSSL.com - Geotrust reseller. Since last few days we're receiving same issue for Geotrust 2048 bit SSL crtificate resolution request from our customers. Our comprehensive investigation along with Geotrust results the down stair cause and resolution.

Reason for this issue:

GeoTrust, has to abide requirements that is mandated by U.S. National Institute of Standard & Technology (NIST), which is to have our root cas as 2048-bit w/ SHA-1 RSA hash algorithm. Introducing an intermediate ca is the only way for our ssl certificate to meet this requirement. Since Geotrust cert is now signed by an intermediate ca. You have to manually install the intermediate ca on the IIS server locally. Stand by, let me send you the information & installation instruction.

Resolution:

For Windows Server IIS users:

Please follow the steps below on how to install the attached intermediate ca on the IIS server.

1. Open the *Microsoft Management Console (MMC)* > Go to *Start *> *Run *> enter *MMC *> select *OK* 2. Select *File *or Console > select *Add/Remove Snap-In* 3. From the *Add/Remove Snap-In *window select the *Add *button 4. From the list, select *Certificates *> select *Add *> select *Computer Account *and *Local Computer* > select *OK* 5. From the left window, select *Intermediate Certification Authorities *> right-click *Certificates *> select *All Tasks* > *Import*. This will open the Certificate Import Wizard. 6. Click *Next* 7. Browse to the location of the intermediate certificate > select *Next* 8. Select Place the certificate in the following store: *Intermediate Certification Authorities* 9. Click *Finish * 10. Stop & start IIS server and test your web site.

For the Root cert file please contact live chat support at ClickSSL along with Mozilla Blog reference.

Note: The requests with Mozilla Blog reference would be accepted for free assistance.

Thanks, Eric

What a pain in the ass!!!!!

Installing the Intermediate CA file and restarting Apache results in no change. The error is persistent in Firefox but surprisingly not with IE 8, Chrome or other browsers.

Site with issue: https://islandam.com/

Attempted resolutions: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15169

Was able to resolve by specifying exact intermediate.crt file in ssl.conf, rather than just the directory.

I have also tried all the solutions mentioned - but no luck.

I wrote to Geotrust support and the pointed out that I needed the intermediate certificate and provided me with this url:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

Please note, this intermediate certificate was *not* the same is linked to above - seems like there are 2 different intermediate certificates, depending on what type of certificate you got from Geotrust.

Just to recap - if you got yourself a "QuickSSL, QuickSSL Premium or SSL Trial"-certificate (like me) then use this intermediate:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

If you got a "True BusinessID or Enterprise SSL"-certificate, you should use this:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423

- Lasse