I'll start with the most common thing:

Is the server configured to send the intermediate certificates? Firefox either needs to receive them from the server, or to have previously received them from another server. Unlike some other browsers, Firefox will not seek them from other sources.

Ha, I knew I forgot to include that. Yes, we declare the chain certificate in the apache config.

SSLCertificateFile "/apps/$SiteDir/conf/certs/$Cert.cer" SSLCertificateKeyFile "/apps/$SiteDir/conf/certs/$Cert.key" SSLCertificateChainFile "/apps/intermediate.cer"

Hmm, I would expect to see the intermediate and root certs in the Digicert screen shot if the server is sending them. Am I misunderstanding how that tool works? What if you point it at another site for comparison.

Did you check the certificate chain in Firefox and verified that the topmost in the chain has the appropriate trust bit(s) set if that isn't a built-in trusted root certificate?

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root