X
Tippen Sie hierhin, um die Version dieser Website für Mobilgeräte aufzurufen.

Hilfeforum

Miss track the intermediate certificate

Veröffentlicht

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too.

When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below:

 GeoTrust Global CA <- Google Internet Authority G2 <- google.com

But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy:

 Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com

Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ?

I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below:


BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB


END PUBLIC KEY-----

Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too. When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below: GeoTrust Global CA <- Google Internet Authority G2 <- google.com But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy: Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ? I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB -----END PUBLIC KEY----- Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

Ausgewählte Lösung

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Diese Antwort im Kontext lesen 2

Mehr Details zum System

Installierte Plugins

  • Web Camera

Anwendung

  • User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0

Weitere Informationen

cor-el
  • Top 10 Contributor
  • Moderator
17775 Lösungen 160790 Antworten
Veröffentlicht

Ausgewählte Lösung

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane. OpenSSL may use a different certificate store for this certificate.

Fragesteller

Thank you. And I think I understand your answer, this is by design, not a bug.

Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did.

So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA).

Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

Thank you. And I think I understand your answer, this is by design, not a bug. Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did. So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA). Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

Fragesteller

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me.

Thanks.

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me. Thanks.