X
Tap here to go to the mobile version of the site.

Support Forum

Miss track the intermediate certificate

Posted

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too.

When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below:

 GeoTrust Global CA <- Google Internet Authority G2 <- google.com

But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy:

 Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com

Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ?

I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below:


BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB


END PUBLIC KEY-----

Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too. When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below: GeoTrust Global CA <- Google Internet Authority G2 <- google.com But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy: Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ? I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB -----END PUBLIC KEY----- Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

Chosen solution

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Read this answer in context 2
cor-el
  • Top 10 Contributor
  • Moderator
17473 solutions 157934 answers

Chosen Solution

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane. OpenSSL may use a different certificate store for this certificate.

Question owner

Thank you. And I think I understand your answer, this is by design, not a bug.

Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did.

So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA).

Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

Thank you. And I think I understand your answer, this is by design, not a bug. Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did. So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA). Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

Question owner

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me.

Thanks.

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me. Thanks.