搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Firefox Displays "Peer's certificate has an invalid signature." SubCA shows "Could not trust this certificate for unknown reasons"

  • 3 回覆
  • 17 有這個問題
  • 1 次檢視
  • 最近回覆由 khetheri

more options

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA)

ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm)

ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm

Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature"

I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA) ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm) ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature" I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

被選擇的解決方法

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.

從原來的回覆中察看解決方案 👍 5

所有回覆 (3)

more options

HI khetheri,

In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible.

There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues.

# In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear. 
  1. Click I'll be careful, I promise!, to continue to the about:config page.
  2. Search for browser.xul.error_pages.expert_bad_cert and set it to true to try the certificate normally.

Looking forward to your reply!

more options

rmcguigan,

Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same.

Regards, Khetheri

more options

選擇的解決方法

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.