X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Firefox is not importing signed intermediate certificate automatically

Posted

I have installed a certificate and an intermediate certificate on a website. It works in all browsers, except "some" Firefox's.

On my mac in Firefox 3.6.8, if I look in my root certificate list, I can see a Geotrust Global CA - but not a Geotrust DV SSL CA.

Geotrust Global CA is the root CA. Geotrust DV SSL CA is my intermediate certificate - signed by Geotrust Global CA.

If I use openssl s_client to test the ssl connection to the server, I am given both the sites certificate and the intermediate certificate.

Back to my Firefox, when I visit the website, it is displayed without any trouble or warning. If I look in the Certificate liste, Geotrust DV SSL CA is now automagically imported. Which is just fine and by design (as far as I understand).

But a customer of mine is also running mac and Firefox 3.6.8 - same version as me. I looked at his certificate list, initially it looks the same, he has Geotrust Global CA but not Geotrust DV SSL CA. But when he visits the exact same website, a warning is displayed that his browser doesn't trust the issuer of the certificate.

I wonder, is there an option or anything that could make my customers and my Firefox behave differently? ( same platform, same version )

Additional System Details

Installed Plug-ins

Only 1Password - and it is disabled.

Application

  • User Agent:

More Information

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

Helpful Reply

Firefox automatically installs intermediate certificates if you visit a website that sends them. Your above posted steps suggest that the server doesn't send all the needed intermediate certificates.

You can use a website like this to check that:

http://www.networking4all.com/en/support/tools/site+check/

Question owner

The server *does* send all needed certificates - I have checked this with both openssl c_client - and now with your link to networking4all.

On networking4all it says: "The SSL Certificate for {DOMAIN} is signed by GeoTrust DV SSL CA wich is signed by GeoTrust Global CA" - and in the bottom all 3 certificates in the chain is shown.

Furthermore, my own Firefox imports the intermediate certificate just fine. But a couple of my customers, which is running Firefox, does not. And instead issues a warning about unknown_issuer. Same OS, same browser and version.

That leaves me back to my question: "I wonder, is there an option or anything that could make my customers Firefox behave differently from ie. my Firefox?" - hence theirs are *not* importing and accepting the intermediate .. and mine is.

( The certificate works fine in all other major browsers, chrome, ie, safari etc. )

Modified by bitmand

btaylor 0 solutions 1 answers

Helpful Reply

I am having this issue also.

It is in relation to: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1423

All check tools show the server functioning correctly.

sifuas 0 solutions 1 answers

I had a similar problem and it turned out to be our Cisco switch in front of our servers. We have an ACE load balancer that needed the intermediate cert installed as a "Chain Group Paremeter" and then associated with our site. Hopefully this helps somebody elese because there isn't a lot out there on the net about this.

ecisney 0 solutions 2 answers

This must be a bug with Firefox. It only happens on *some* installations on windows machines - and no other browsers. We have the same issue on a couple of our sites and they all check out just fine when running them through validation checks such as http://www.networking4all.com/en/support/tools/site+check/ or an open ssl client.

If this was a general cert issue then it wouldn't check out when running validators and it would also not work on other browsers. The odd one out here is Firefox. Hopefully they will fix it on the next release.

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

If the server sends all the certificates and there are still problems then it is possible that visitors have an older version of an intermediate certificate installed that is causing problems. In such a case it helps if you remove the intermediate certificate and let Firefox store a new version. Deleting or removing cert8.db in the Firefox Profile Folder has the same effect, but that does remove all stored intermediate and other user certificates and that may be too much.

ecisney 0 solutions 2 answers

I've looked at browsers that are having the problem and they don't have any of the intermediate certs downloaded. So clearing them out won't help. The issue is that FF is now downloading them in the first place.

In any case, a business can't have their customers go through a process like above - especially if they don't call tech support to begin with and just leave the site (and never come back). FF would need to sort it out for them by seeing if the CA is expired and then attempting to download a current one.

kurieuo 0 solutions 1 answers

Yes, Firefox appears to have some SSL caching issue.

Recently re-installed a RapidSSL certificate, and began having these issues. They recently updated their root I believe. And now some Firefox installs throw up root verification errors, while others don't.

Chrome and IE work fine. Maybe I should look into other SSL certificates, but this is definitely a Firefox issue.

Modified by kurieuo

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

Did you check your website via the Geotrust SSL checker?

The server needs to send the full certificate chain and in case of a RapidSSL certificate that includes the RapidSSL root certificate that links to the issuer of that (GeoTrust) certificate.
If Firefox has stored an older version of the certificate then you can remove that from the certificate manager and install (import) the updated version yourself if a website doesn't send it.

  • Tools > Options > Advanced : Encryption: Certificates - View Certificates : Authorities
macpanda 0 solutions 1 answers

I have started getting Error 61 "You have not chosen to trust GeoTrust DV SSL CA the issuer of the certificate..." when I try to use citrix metaframe. I noticed that GeoTrust revoked GeoTrust Global CA. Could that be part of the problem? It's very frustrating.

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

That is a problem with Citrix and not with Firefox.

You need to add that (root) certificate to the Citrix database.

TDCornwell 0 solutions 1 answers

I have the same issue on one Firefox (3.6.17 ) browser. I have verified the server is correctly serving ALL certificates - including the correct GeoTrust intermediate cert using:

http://www.sslshopper.com/ssl-checker.html
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557

- and -

http://www.networking4all.com/en/support/tools/site+check 

The networking4all test page will show how the certificates are chained, and will show if the correct certs are available.

This appears to be a problem with Firefox.

Has anyone found a solution?

cor-el
  • Top 10 Contributor
  • Moderator
10756 solutions 96800 answers

Can you please post a link to the site that gives problems?

It is possible that you have an older intermediate certificate installed.
You can check that in the Certificate Manager and remove it to make Firefox store the certificate send by the server.
Also make sure that the date and time on your computer are correct.

br3wski3 0 solutions 1 answers

I haven't read all of the reply posts, but if someone hasn't already mentioned this, this worked for me

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422

-br3wski3