X
Tap here to go to the mobile version of the site.

Support Forum

Firefox no longer trusts my internal certificate authority used for internal sites on our domain.

Posted

The error: SEC_ERROR_UNKNOWN_ISSUER.

The certificates use sha256 for their signature algorithm.

Chrome and Edge both see the certificates as valid.

This is a recent change, I believe starting with Firefox 55.

Thanks for any help with this!

The error: SEC_ERROR_UNKNOWN_ISSUER. The certificates use sha256 for their signature algorithm. Chrome and Edge both see the certificates as valid. This is a recent change, I believe starting with Firefox 55. Thanks for any help with this!

Chosen solution

See also security.enterprise_roots.enabled on the about:config page.

Read this answer in context 22

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

More Information

jscher2000
  • Top 10 Contributor
7921 solutions 64630 answers

If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error.

Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now.

This thread has an example of how to get a signing certificate imported: sec_error_bad_signature only via proxy for https website.

Does that sound familiar? Does it work for yours?

If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error. Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now. This thread has an example of how to get a signing certificate imported: [https://support.mozilla.org/questions/1068675 sec_error_bad_signature only via proxy for https website]. Does that sound familiar? Does it work for yours?
cor-el
  • Top 10 Contributor
  • Moderator
16698 solutions 151028 answers

Chosen Solution

See also security.enterprise_roots.enabled on the about:config page.

See also <b>security.enterprise_roots.enabled</b> on the <b>about:config</b> page.

Question owner

jscher2000 said

If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error. Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now. This thread has an example of how to get a signing certificate imported: sec_error_bad_signature only via proxy for https website. Does that sound familiar? Does it work for yours?

Thank you for your answer!

This was my initial response to user's having issues and it does fix the problem, but it requires addressing it on a per-user basis, which is not ideal for a larger organization.

Setting security.enterprise_roots.enabled to true did the trick, but is still on a per-user basis.

My main confusion with this is that it used to trust our CA without this intervention. I don't use Firefox as often as I should, but I'm almost certain that this changed with the last version update (55), but I didn't see anything related in the update notes.

Does anyone know if something changed recently that would affect how Firefox treats enterprise CA's?

''jscher2000 [[#answer-1006082|said]]'' <blockquote> If your internal signing certificate doesn't chain up to a trusted root, then naturally Firefox gives that UNKNOWN ISSUER error. Traditionally you would import your internal signing certificate as an authority so Firefox would trust certificates signed with it. The imported cert is stored in the cert8.db file in your currently active Firefox profile, so creating a new profile, using the Refresh feature, or removing the file all could set you back to where you are now. This thread has an example of how to get a signing certificate imported: [https://support.mozilla.org/questions/1068675 sec_error_bad_signature only via proxy for https website]. Does that sound familiar? Does it work for yours? </blockquote> Thank you for your answer! This was my initial response to user's having issues and it does fix the problem, but it requires addressing it on a per-user basis, which is not ideal for a larger organization. Setting '''security.enterprise_roots.enabled''' to '''true''' did the trick, but is still on a per-user basis. My main confusion with this is that it used to trust our CA without this intervention. I don't use Firefox as often as I should, but I'm almost certain that this changed with the last version update (55), but I didn't see anything related in the update notes. Does anyone know if something changed recently that would affect how Firefox treats enterprise CA's?
end.user 0 solutions 2 answers

This is great! Can anyone tell me what the significance of that setting is? How's it work, what's it control? Also, is there something similar for Chrome?

This is great! Can anyone tell me what the significance of that setting is? How's it work, what's it control? Also, is there something similar for Chrome?
jscher2000
  • Top 10 Contributor
7921 solutions 64630 answers

Hi end.user, when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari.

This can help in cases where your computer is managed by the company and certain certificates needed to work with a proxy server or other internal servers are difficult to impossible to import to Firefox's own certificate file.

But this also bypasses Firefox's protection against malware that inserts fake certificates in the system certificate store, so it's not a risk-free choice.

Hi end.user, when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari. This can help in cases where your computer is managed by the company and certain certificates needed to work with a proxy server or other internal servers are difficult to impossible to import to Firefox's own certificate file. But this also bypasses Firefox's protection against malware that inserts fake certificates in the system certificate store, so it's not a risk-free choice.
benpbolton 0 solutions 1 answers

jscher2000 said

...when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari.

This doesn't seem to be the case for MacOS 10.13 on FF 57+ ... setting security.enterprise_roots.enabled still isn't consulting trusted certificates in the keychain (significant for local development with a large SAN certificate covering many domains)

''jscher2000 [[#answer-1047195|said]]'' <blockquote> ...when security.enterprise_roots.enabled is true, Firefox will trust certificates in the Windows certificate store (or Mac system keychain) shared by Internet Explorer/Chrome/Safari. </blockquote> This doesn't seem to be the case for MacOS 10.13 on FF 57+ ... setting security.enterprise_roots.enabled still isn't consulting trusted certificates in the keychain (significant for local development with a large SAN certificate covering many domains)
jscher2000
  • Top 10 Contributor
7921 solutions 64630 answers

Hi benpbolton, what error code do you get for the certificate? Usually you need to click the Advanced button to view that more detailed information.

Hi benpbolton, what error code do you get for the certificate? Usually you need to click the Advanced button to view that more detailed information.
cor-el
  • Top 10 Contributor
  • Moderator
16698 solutions 151028 answers

You can export the root certificate in a browser that works and import this certificate in the Firefox Certificate Manager. Set the trust bit for websites when prompted if the certificate is self-signed and supposed to work as a root certificate.

  • Options/Preferences -> Privacy & Security -> Certificates: View Certificates

  • bug 1300420 - macOS (Mac OS X) platform support for trusting enterprise roots

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
)

You can export the root certificate in a browser that works and import this certificate in the Firefox Certificate Manager. Set the trust bit for websites when prompted if the certificate is self-signed and supposed to work as a root certificate. *Options/Preferences -> Privacy & Security -> Certificates: View Certificates ---- *[https://bugzilla.mozilla.org/show_bug.cgi?id=1300420 bug 1300420] - macOS (Mac OS X) platform support for trusting enterprise roots (<i>please do not comment in bug reports<br>https://bugzilla.mozilla.org/page.cgi?id=etiquette.html</i>)
tsmith35 0 solutions 3 answers

Helpful Reply

This worked for me:

In Firefox, browse to the about:config page If prompted, click "I accept the risk!" to continue In Search bar above "Preference Name", type the word enterprise If value of security.enterprise_roots.enabled is "false", right-click the line and select "Toggle" The line should read: security enterprise_roots.enabled ... modified ... boolean ... true

Try to browse to a site such as Google When presented with the SEC_ERROR_UNKNOWN_ISSUER page, click the Advanced button Scroll down to the bottom of the page - you're searching for "Certificate chain:" Under "Certificate chain:", highlight everything from the LAST "-----BEGIN CERTIFICATE-----" the the LAST "-----END CERTIFICATE-----" Ctrl-C to copy text to clipboard Open a text editor (such as Notepad) and paste the text inside Save the file as Cert.cer (you may need to rename the file if Notepad appends ".txt" to the end of the filename)

Back in Firefox, click the "three bar" button at the top right of the screen Choose "Options" At left side of window that opens, click on "Privacy & Security" Scroll to the bottom of the page Click on the "View Certificates" button Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window

You should be able to browse to other sites now If you have any problems, restart Firefox and try again

This worked for me: In Firefox, browse to the about:config page If prompted, click "I accept the risk!" to continue In Search bar above "Preference Name", type the word '''enterprise''' If value of security.enterprise_roots.enabled is "false", right-click the line and select "Toggle" The line should read: security enterprise_roots.enabled ... modified ... boolean ... '''true''' Try to browse to a site such as Google When presented with the SEC_ERROR_UNKNOWN_ISSUER page, click the Advanced button Scroll down to the bottom of the page - you're searching for "Certificate chain:" Under "Certificate chain:", highlight everything from the LAST "-----BEGIN CERTIFICATE-----" the the LAST "-----END CERTIFICATE-----" Ctrl-C to copy text to clipboard Open a text editor (such as Notepad) and paste the text inside Save the file as Cert.cer (you may need to rename the file if Notepad appends ".txt" to the end of the filename) Back in Firefox, click the "three bar" button at the top right of the screen Choose "Options" At left side of window that opens, click on "Privacy & Security" Scroll to the bottom of the page Click on the "View Certificates" button Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window You should be able to browse to other sites now If you have any problems, restart Firefox and try again
jscher2000
  • Top 10 Contributor
7921 solutions 64630 answers

tsmith35 said

Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window

Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.

''tsmith35 [[#answer-1063220|said]]'' <blockquote>Make sure the Certificate Manager window that pops up has "Authorities" highlighted Click the "Import" button and select the file you saved ("Cert.cer" or whatever) In the window that pops up, check the box next to "Trust this CA to identify websites" Click the "OK" button, then click the "OK" button in the Certificate Manager window </blockquote> Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.
tsmith35 0 solutions 3 answers

jscher2000 said

Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything.

Yes, true. My situation involved using Firefox within a corporate environment (proxies, firewall, etc). I wouldn't expect to have to do such a thing in a home or SOHO environment.

''jscher2000 [[#answer-1063270|said]]'' <blockquote> Obviously you should ONLY do this after you FIRST CONFIRM that the intermediary presenting fake certificates to Firefox is one that you TRUST intercepting your web sessions, and the software publisher does not provide a more convenient solution. Otherwise, you may be setting yourself up for spyware to capture everything. </blockquote> Yes, true. My situation involved using Firefox within a corporate environment (proxies, firewall, etc). I wouldn't expect to have to do such a thing in a home or SOHO environment.