Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why do I get sec_error_bad_der on FF and "Subject CN in certificate not server name or identical to CA!?" on server - works with Chrome/IE

  • 1 பதிலளி
  • 17 இந்த பிரச்னைகள் உள்ளது
  • 1 view
  • Last reply by tdeleeuw

I have setup a CA hierarchy and generated the server certificate (DN is CN = tools.xxx.com,OU = IT,O = XXX,DC = tools,DC = office,DC =xxx,DC = com) as AltName, I have DNS Name: tools.xxx.com. I have also created user Certificates (DN is E=me@xxx.com,CN=Me,OU=IT,O=XXX,DC=office,DC=xxx,DC=com)

I have enabled the Mutual SSL auth.

When I connect with IE or chrome, I have no problem. When I try to connect using FF, I get ion FF "sec_error_bad_der" and in the log of the server I get "SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?" This happens as soon as I click Ok or cancel after having selected the certificate

SSL Labs does not seem to find any issue with the server itslef...

I have setup a CA hierarchy and generated the server certificate (DN is CN = tools.xxx.com,OU = IT,O = XXX,DC = tools,DC = office,DC =xxx,DC = com) as AltName, I have DNS Name: tools.xxx.com. I have also created user Certificates (DN is E=me@xxx.com,CN=Me,OU=IT,O=XXX,DC=office,DC=xxx,DC=com) I have enabled the Mutual SSL auth. When I connect with IE or chrome, I have no problem. When I try to connect using FF, I get ion FF "sec_error_bad_der" and in the log of the server I get "SSL Library Error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (SSL alert number 42) -- Subject CN in certificate not server name or identical to CA!?" This happens as soon as I click Ok or cancel after having selected the certificate SSL Labs does not seem to find any issue with the server itslef...

All Replies (1)

Of course, if needed, I can provide the full CA chain and the relevant certificates (no private key sorry ;-))