after version 15 to 16 upgrade i cannot open my https sites which are signed by my CA
My CA certificate has been imported into Firefox for ages. I had no problems opening my secured sites. After upgrading 15 to 16, I started getting untrusted connections warnings.
The CA certificate:
-----BEGIN CERTIFICATE----- MIIEnTCCA4WgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlTELMAkGA1UEBhMCUlUx GzAZBgNVBAgTElJ1c3NpYW4gRmVkZXJhdGlvbjEWMBQGA1UEBxMNU3QuUGV0ZXJz YnVyZzEWMBQGA1UEChMNQUJJU29mdCwgTHRkLjEWMBQGA1UEAxMNQUJJU29mdCwg THRkLjEhMB8GCSqGSIb3DQEJARYSd3d3QGFiaXNvZnQuc3BiLnJ1MB4XDTA0MDkx MDEzNDIxMVoXDTE0MDkxMDEzNDIxMVowgZUxCzAJBgNVBAYTAlJVMRswGQYDVQQI ExJSdXNzaWFuIEZlZGVyYXRpb24xFjAUBgNVBAcTDVN0LlBldGVyc2J1cmcxFjAU BgNVBAoTDUFCSVNvZnQsIEx0ZC4xFjAUBgNVBAMTDUFCSVNvZnQsIEx0ZC4xITAf BgkqhkiG9w0BCQEWEnd3d0BhYmlzb2Z0LnNwYi5ydTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANveA0gmTohUYD8qxfnbECAcbJ26hfUD0st2KX+65dzp HG5ELWgjRG2CNbF5aRoRWSNaRUgZjTeeL7HwGJTGcQ/0ofyDlGXdyvzMzkhbjN4Y GUHhW5tdhoCldWBn8UI69Z1e+f22rMDVJOpJujO3FdxfAEWv0bn59W9HplNQkv+J T3/ien28QZAK7jDzsI+5cOAXQNnUGgv+mGViBYkCLKJOsR2WPDTtmuakD8mzB9rr q27PVXaV8NyUedEVwuynsA9GTNQ9x5iKh9RptPVZqZR7uXhZswh5jcMVYLACGDUi 3kqhBv8uPcNidOeVf0LT17U9sOSGIIXt3htEhI5UtEsCAwEAAaOB9TCB8jAdBgNV HQ4EFgQUzwx/YGwNBGKGAXuPJUchMkNnHz4wgcIGA1UdIwSBujCBt4AUzwx/YGwN BGKGAXuPJUchMkNnHz6hgZukgZgwgZUxCzAJBgNVBAYTAlJVMRswGQYDVQQIExJS dXNzaWFuIEZlZGVyYXRpb24xFjAUBgNVBAcTDVN0LlBldGVyc2J1cmcxFjAUBgNV BAoTDUFCSVNvZnQsIEx0ZC4xFjAUBgNVBAMTDUFCSVNvZnQsIEx0ZC4xITAfBgkq hkiG9w0BCQEWEnd3d0BhYmlzb2Z0LnNwYi5ydYIBADAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBAUAA4IBAQCK8K80TR5Tx7Y+ll9iZhUrpj459Mir9NLktlct9BIg bPkk3adolW1+17NBZuVWN9Cw2c2FEKa73MkLSTDvoqR/6gozvMrJDe2GCnGXuGeY ID8JvXtfOL4aubomDnZEaYsu7tB2Un6tC6KTPjOcyU1mhRb+mPywzt95I+wNv3DL b65htIZ+uMxEHs4Ej227F1NHKZmc3JCJyjZ1z+k4zQ9BNbzBuUeaHAvvcVhEUM4J 980I02XQ955Tw66IAvxlrrHReQeUuLaj0uI7s6VYyyHeFSk/mNTO5/nq6fLbFXzs c+cFFVIPCeBQ+qE/nfN9p+7s4pMIssI1UeMCpoSqCxNd -----END CERTIFICATE-----
The site certificate:
-----BEGIN CERTIFICATE----- MIID3DCCAsSgAwIBAgIBHzANBgkqhkiG9w0BAQQFADCBlTELMAkGA1UEBhMCUlUx GzAZBgNVBAgTElJ1c3NpYW4gRmVkZXJhdGlvbjEWMBQGA1UEBxMNU3QuUGV0ZXJz YnVyZzEWMBQGA1UEChMNQUJJU29mdCwgTHRkLjEWMBQGA1UEAxMNQUJJU29mdCwg THRkLjEhMB8GCSqGSIb3DQEJARYSd3d3QGFiaXNvZnQuc3BiLnJ1MB4XDTA4MDMx OTE2NTk0N1oXDTE4MDMxNzE2NTk0N1owgZIxCzAJBgNVBAYTAlJVMRswGQYDVQQI ExJSdXNzaWFuIEZlZGVyYXRpb24xFjAUBgNVBAcTDVN0LlBldGVyc2J1cmcxEDAO BgNVBAoTB0FCSVNvZnQxGTAXBgNVBAMUECouYWJpc29mdC5zcGIucnUxITAfBgkq hkiG9w0BCQEWEnd3d0BhYmlzb2Z0LnNwYi5ydTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALCJr++XBSRdp/JXx7MRWl6xKa7+WeqwI/jV9tEicC0jn4qa wreX9maHji74YOdmyS3TY5ak1HJm9WZ9/g09u50Xz01ba2DD6X3eRoZBiPew6GKn CtZLIg5qRSgsbKfC31Q7qe6cZyFgy2deE508PvCpu0Ai8VkJhbHwJxJRa9Zk1/CO fr+h4c3DFYNp8tsFtL+5VryzSZetMUtWI4qlhKTc8NuNREkqz3kqAbZbfMMmIZuE UWG2znuSPN87ONdNDOfOgOfUaMSMlvUtfsHNUulK/CrZfPy1NZ52FtKZaoDTQQn3 jkfTQGSpqogIhIZUyElUh2TPRNzyxWwjYAz6ojUCAwEAAaM4MDYwNAYDVR0fBC0w KzApoCegJYYjaHR0cDovL3d3dy5hYmlzb2Z0LnNwYi5ydS9jYWNybC5wZW0wDQYJ KoZIhvcNAQEEBQADggEBAFO+vbwrJmwFT7YzJGTodrJYFQVei9gMkGOzXdKJlKVA TCr3PSyBrICZ2pFWx7zES0VCKaEcGa5aigxSwgZURidfWHM4Zxmj+egUmSVXKGjM v8qbA1zN+LJEYEKuE2PKluPTHJiMbHSi6yWxsC4zhAKIDCMCXHS3i35u8g1Otoyj WXccm+YGcBHF0Vw/c9eV6NzUb8QNKhIF+O6AfXwzUOhPikvXGibsElwv/8RY76lk 8xroATlm1hlmIoHiddOrE2BbDxd/KevFV7vin/luZBoHLxrD2eQmize3zGCUUB7f 33uhnhZ8btXuJ9YZgRv0KX38OXY1Q2ZaNDEqhermFdg= -----END CERTIFICATE-----
Modified
Chosen solution
I've found what's happened (I had to read what firefox says thoroughly before posting a support request, sorry for that): The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
I was able to revert settings back by enabling this key in about:config: security.enable_md5_signatures
Read this answer in context 👍 0All Replies (5)
Hi,
One possible reason could be errors in the CA certificate. You can try to add five dashes (i.e. -----) before BEGIN and END, paste the full contents into notepad, save it with .cer extension and then Import (ABIsoft) it via Firefox Tools (Alt + T) > Options > Advanced > Encryption > View Certificates > Authorities.
I do have it
On the same screen, you can click Edit Trust... and enable (tick) This certificate can identify websites. If problems persist, you can try deleting cert8.db in the Firefox Profile Folder after exiting Firefox, and then re-import the certificate with the correct trust bits set.
To open the profile folder via Firefox: Help (Alt + H) > Troubleshooting Information > Show Folder.
If the above two basics are correct, see also: Stop accepting MD5 as a hash algorithm in signatures
Modified
I'm sorry - your suggestions didn't help. The bits are set and I deleted the cert8.db - it still says "unknown identity"
Modified
Chosen Solution
I've found what's happened (I had to read what firefox says thoroughly before posting a support request, sorry for that): The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
I was able to revert settings back by enabling this key in about:config: security.enable_md5_signatures