Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why do I get sec_error_bad_der on FF and "Subject CN in certificate not server name or identical to CA!?" on server - works with Chrome/IE

  • 1 reply
  • 17 have this problem
  • 1 view
  • Last reply by tdeleeuw

more options

I have setup a CA hierarchy and generated the server certificate (DN is CN = tools.xxx.com,OU = IT,O = XXX,DC = tools,DC = office,DC =xxx,DC = com) as AltName, I have DNS Name: tools.xxx.com. I have also created user Certificates (DN is E=me@xxx.com,CN=Me,OU=IT,O=XXX,DC=office,DC=xxx,DC=com)

I have enabled the Mutual SSL auth.

When I connect with IE or chrome, I have no problem. When I try to connect using FF, I get ion FF "sec_error_bad_der" and in the log of the server I get "SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?" This happens as soon as I click Ok or cancel after having selected the certificate

SSL Labs does not seem to find any issue with the server itslef...

I have setup a CA hierarchy and generated the server certificate (DN is CN = tools.xxx.com,OU = IT,O = XXX,DC = tools,DC = office,DC =xxx,DC = com) as AltName, I have DNS Name: tools.xxx.com. I have also created user Certificates (DN is E=me@xxx.com,CN=Me,OU=IT,O=XXX,DC=office,DC=xxx,DC=com) I have enabled the Mutual SSL auth. When I connect with IE or chrome, I have no problem. When I try to connect using FF, I get ion FF "sec_error_bad_der" and in the log of the server I get "SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?" This happens as soon as I click Ok or cancel after having selected the certificate SSL Labs does not seem to find any issue with the server itslef...

All Replies (1)

more options

Of course, if needed, I can provide the full CA chain and the relevant certificates (no private key sorry ;-))