Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

only firefox has certificate issue "unknown_issuer" with self-signed certificate

more options

We have various Apache instances that host internal sites.

We have a Server 2012 Enterprise Certificate Authority with which we sign internal certificates. I have created a batch of new certificates for various sites, and Chrome, IE10+ as well as Opera and Safari have no issue with the self-signed cert.

The certificate chain is good, I used various tools to verify that the certificate is good.

Digicerts Tools, as well as browser and server loaded certificates. Please see the attached screenshots

Firefox claims the "unknown_issuer" error. But as you can see from the screenshots , the issuer is there and a complete chain is available.

What am I missing? We utilize Firefox in our environment quite a bit, Chrome is an alternative, but I'd liek to understand what is going on?

We have various Apache instances that host internal sites. We have a Server 2012 Enterprise Certificate Authority with which we sign internal certificates. I have created a batch of new certificates for various sites, and Chrome, IE10+ as well as Opera and Safari have no issue with the self-signed cert. The certificate chain is good, I used various tools to verify that the certificate is good. Digicerts Tools, as well as browser and server loaded certificates. Please see the attached screenshots Firefox claims the "unknown_issuer" error. But as you can see from the screenshots , the issuer is there and a complete chain is available. What am I missing? We utilize Firefox in our environment quite a bit, Chrome is an alternative, but I'd liek to understand what is going on?
Attached screenshots

Chosen solution

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like


BEGIN PKCS7-----

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....


END PKCS7-----

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate


BEGIN CERTIFICATE-----

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....


END CERTIFICATE-----

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....


END CERTIFICATE-----

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root

Read this answer in context 👍 0

All Replies (5)

more options

I'll start with the most common thing:

Is the server configured to send the intermediate certificates? Firefox either needs to receive them from the server, or to have previously received them from another server. Unlike some other browsers, Firefox will not seek them from other sources.

more options

Ha, I knew I forgot to include that. Yes, we declare the chain certificate in the apache config.

SSLCertificateFile "/apps/$SiteDir/conf/certs/$Cert.cer" SSLCertificateKeyFile "/apps/$SiteDir/conf/certs/$Cert.key" SSLCertificateChainFile "/apps/intermediate.cer"

more options

Hmm, I would expect to see the intermediate and root certs in the Digicert screen shot if the server is sending them. Am I misunderstanding how that tool works? What if you point it at another site for comparison.

more options

Did you check the certificate chain in Firefox and verified that the topmost in the chain has the appropriate trust bit(s) set if that isn't a built-in trusted root certificate?

more options

Chosen Solution

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like


BEGIN PKCS7-----

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....


END PKCS7-----

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate


BEGIN CERTIFICATE-----

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....


END CERTIFICATE-----

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....


END CERTIFICATE-----

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root