为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已关闭并存档。 如果需要帮助请提出新问题。

Firefox reports "The certificate is not trusted because it was issued by an invalid CA certificate". While other browser like ie and chrome has no problem

  • 10 个回答
  • 35 人有此问题
  • 1 次查看
  • 最后回复者为 cor-el

more options

Firefox reports "The certificate is not trusted because it was issued by an invalid CA certificate" (Error code: sec_error_untrusted_issuer)

Senario : Proxy intercepts HTTPS. We have deployed internal Enterprise CA and proxy is also a intermedeate CA. Hence browsers shouldn't have any certificate validation problem. Other browsers like ie and chrome works fine. Adding exception is not a final soltuion.

Firefox reports "The certificate is not trusted because it was issued by an invalid CA certificate" (Error code: sec_error_untrusted_issuer) Senario : Proxy intercepts HTTPS. We have deployed internal Enterprise CA and proxy is also a intermedeate CA. Hence browsers shouldn't have any certificate validation problem. Other browsers like ie and chrome works fine. Adding exception is not a final soltuion.

所有回复 (10)

more options

I'm a little confused by your statement that your proxy server is also an intermediate CA. If you look at the certificate on IE or Chrome and follow the chain up to the trusted root, is your proxy somehow filling the gap??

more options

hi jscher2000, You are right. The proxy is subordinate CA of Enterprise root CA. So that certificate issued by proxy doesn't break the certificate chain. All PCs has root CA certificates pushed by AD, because Proxy is subordinate CA of Root CA, the certificates issued by Proxy can be validated by Root CA certificate on the PC.

This works good for my ie and chrome.

The certificate viewer on Firefox shows the certificate hierarchy correctly

more options

What does it say under the Technical Details?

Does Firefox show the full chain if you inspect the certificate?

Check out why the site is untrusted (click "Technical Details to expand that section) and if this is caused by a missing intermediate certificate then see if you can install this intermediate certificate from another source.

You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.

  • Click the link at the bottom of the error page: "I Understand the Risks"

Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".

  • Click the "View..." button and inspect the certificate and check who is the issuer.

You can see more Details like intermediate certificates that are used in the Details pane.

more options

Below is what it says under Technical details


Technical Details

      www.google.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)


Add Security Exception says " The certificate is not trusted, because it hasn't be verified by recognized authority using a secure signature" (image attached)

Firefox shows full chain (find attached image)

Question is: if there is any issue with certificate or chain, how is it working for ie and chrome ?

The real problem for me is Firefox is just saying the certificate is not trusted. It is not giving any troubleshooting details/ or i don't know where to look for troubleshooting data.

由anilaravind于修改

more options

What do you see when you inspect the certificate chain in another browser (e.g. Google Chrome)?

Firefox doesn't link the KBH-CA to a built-in certificate and this is causing the error message.

Who is the issuer of the KBH-CA certificate?

more options

Response to the quries as below :- What do you see when you inspect the certificate chain in another browser (e.g. Google Chrome)?

Answer : Certificate chain is valid and not broken

Firefox doesn't link the KBH-CA to a built-in certificate and this is causing the error message.

Answer : What is "built-in certificate" ?

Who is the issuer of the KBH-CA certificate?

Answer: As mentioned already it an Internal Enterprise CA. KBH-CA is root CA. Hence there are no issuer for KBH-CA.

more options

None of the answers are helpful. I am attempting to log into a military site that uses a CAC certificate for authentication. I added all the exceptions I could find to allow this link to load but Firefox cuts in and tells me the page requires a client certificate (installed and works with Chrome, IE). Your client certificate features are not working correctly.

more options

Hi richardlvance

See:

more options

I have the same issue but with a site called www.faxzero.com. After entering the information it believes that the site is not trusted. I don't have the problem with www.google.com though.

more options

Hi mace2

Could you please keep the discussion in your own thread as this thread is about a different issue than yours.
You have a problem with a different missing intermediate certificate (PositiveSSL CA 2).

由cor-el于修改