Firefox no longer trusts my internal certificate authority used for internal sites on our domain.
The error: SEC_ERROR_UNKNOWN_ISSUER.
The certificates use sha256 for their signature algorithm.
Chrome and Edge both see the certificates as valid.
This is a recent change, I believe starting with Firefox 55.
Thanks for any help with this!
Vahaolana nofidina
See also security.enterprise_roots.enabled on the about:config page.
Hamaky an'ity valiny ity @ sehatra 👍 22All Replies (11)
If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error.
Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now.
This thread has an example of how to get a signing certificate imported: sec_error_bad_signature only via proxy for https website.
Does that sound familiar? Does it work for yours?
Vahaolana Nofidina
See also security.enterprise_roots.enabled on the about:config page.
jscher2000 said
If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error. Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now. This thread has an example of how to get a signing certificate imported: sec_error_bad_signature only via proxy for https website. Does that sound familiar? Does it work for yours?
Thank you for your answer!
This was my initial response to user's having issues and it does fix the problem, but it requires addressing it on a per-user basis, which is not ideal for a larger organization.
Setting security.enterprise_roots.enabled to true did the trick, but is still on a per-user basis.
My main confusion with this is that it used to trust our CA without this intervention. I don't use Firefox as often as I should, but I'm almost certain that this changed with the last version update (55), but I didn't see anything related in the update notes.
Does anyone know if something changed recently that would affect how Firefox treats enterprise CA's?
This is great! Can anyone tell me what the significance of that setting is? How's it work, what's it control? Also, is there something similar for Chrome?
Hi end.user, when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari.
This can help in cases where your computer is managed by the company and certain certificates needed to work with a proxy server or other internal servers are difficult to impossible to import to Firefox's own certificate file.
But this also bypasses Firefox's protection against malware that inserts fake certificates in the system certificate store, so it's not a risk-free choice.
jscher2000 said
...when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari.
This doesn't seem to be the case for MacOS 10.13 on FF 57+ ... setting security.enterprise_roots.enabled still isn't consulting trusted certificates in the keychain (significant for local development with a large SAN certificate covering many domains)
Hi benpbolton, what error code do you get for the certificate? Usually you need to click the Advanced button to view that more detailed information.
You can export the root certificate in a browser that works and import this certificate in the Firefox Certificate Manager. Set the trust bit for websites when prompted if the certificate is self-signed and supposed to work as a root certificate.
- Options/Preferences -> Privacy & Security -> Certificates: View Certificates
- bug 1300420 - macOS (Mac OS X) platform support for trusting enterprise roots
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
This worked for me:
In Firefox, browse to the about:config page If prompted, click "I accept the risk!" to continue In Search bar above "Preference Name", type the word enterprise If value of security.enterprise_roots.enabled is "false", right-click the line and select "Toggle" The line should read: security enterprise_roots.enabled ... modified ... boolean ... true
Try to browse to a site such as Google When presented with the SEC_ERROR_UNKNOWN_ISSUER page, click the Advanced button Scroll down to the bottom of the page - you're searching for "Certificate chain:" Under "Certificate chain:", highlight everything from the LAST "-----BEGIN CERTIFICATE-----" the the LAST "-----END CERTIFICATE-----" Ctrl-C to copy text to clipboard Open a text editor (such as Notepad) and paste the text inside Save the file as Cert.cer (you may need to rename the file if Notepad appends ".txt" to the end of the filename)
Back in Firefox, click the "three bar" button at the top right of the screen Choose "Options" At left side of window that opens, click on "Privacy & Security" Scroll to the bottom of the page Click on the "View Certificates" button Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window
You should be able to browse to other sites now If you have any problems, restart Firefox and try again
tsmith35 said
Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window
Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.
jscher2000 said
Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.
Yes, true. My situation involved using Firefox within a corporate environment (proxies, firewall, etc). I wouldn't expect to have to do such a thing in a home or SOHO environment.