X
Tap here to go to the mobile version of the site.

Support Forum

Firefox Displays "Peer's certificate has an invalid signature." SubCA shows "Could not trust this certificate for unknown reasons"

Posted

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA)

ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm)

ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm

Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature"

I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Using a 2-tier on-premise PKI. Offline Root CA (Standalone Windows 2008 R2 Enterprise) and online SubCA for issuing certificates (Domain-Joined Issuing CA) ROOTCA certificate installed in the store and showing trusted (Uses a SHA2 signature and PKCS #1 SHA-256 With RSA Encryption algorithm) ISSUINGCA certificate installed in the store and showing "Could not trust for unknown reasons" also has SHA2 signature with RSASSA-PSS algorithm Issued certificate is for a Lync Front-End Web Server and when attempts are made to load the secure web connection. I receive the error "Peer's certificate has an invalid signature" I've completely de-installed and re-installed Firefox. Removed and re-added the ROOT and SUBCA certs. Note: No issues when using same certs in Internet Explorer 8, 9 or 10 on the same system. Lync client also using same certificates, no issues. Only when accessing the Lync Web Services from Firefox. Question: Does Firefox NSS Internal PCKS#11 Module support RSASSA-PSS SHA-256 with different hashes? How can I troubleshoot this further?

Chosen solution

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.

Read this answer in context 5

Additional System Details

Installed Plug-ins

  • Google Update
  • Picasa plugin
  • Shockwave Flash 11.9 r900
  • Citrix Online App Detector Plugin
  • LastPass Plugin
  • ActiveTouch General Plugin Container Version 105
  • Next Generation Java Plug-in 10.45.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.05
  • 5.1.20913.0
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.03
  • Microsoft Lync 2010 Meeting Join Plug-in
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • RealNetworks(tm) RealDownloader Chrome Background Extension Plug-In
  • RealNetworks(tm) RealDownloader PepperFlashVideoShim Plug-In
  • RealNetworks(tm) RealDownloader HTML5VideoShim Plug-In
  • RealDownloader Plugin
  • Office on Demand Plugin
  • Allows communication with the Windchill SocialLink client.
  • VMware Remote Console Plug-in
  • NPWLPG
  • VMware Remote Console and Client Integration Plug-in
  • DivX Plus Web Player version 2.2.0.52
  • DivX VOD Helper Plug-in
  • Dll file of HP Virtual Room Client Launcher Plugin for Firefox, Chrome, and Safari
  • Microsoft Lync Web App Plug-in
  • Microsoft Lync Web App Version Checker
  • BlackBerry WebSL Browser Plug-In
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers
  • np-mswmp

Application

  • Firefox 27.0
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
  • Support URL: https://support.mozilla.org/1/firefox/27.0/WINNT/en-US/

Extensions

  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • DivX Plus Web Player HTML5 <video> 2.1.2.145 ({23fcfd51-4958-4f00-80a3-ae97e717ed8b}) (Inactive)
  • FiddlerHook 2.4.1.1 (fiddlerhook@fiddler2.com) (Inactive)
  • RealDownloader 1.3.0 ({34712C68-7391-4c47-94F3-8F88D49AD632}) (Inactive)
  • Skype Click to Call 6.13.0.13771 ({82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA Quadro FX 770M
  • adapterDescription2:
  • adapterDeviceID: 0x065c
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 512
  • adapterRAM2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • clearTypeParameters: Gamma: 2200 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 300
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'tryNewerDriver', u'257.21']
  • directWriteEnabled: False
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 2-19-2010
  • driverDate2:
  • driverVersion: 8.16.11.8921
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'tryNewerDriver', u'182.65']
  • numTotalWindows: 5
  • webglRendererMessage: [u'tryNewerDriver', u'182.65']
  • windowLayerManagerRemote: False
  • windowLayerManagerType: Basic

Modified Preferences

  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 4
  • browser.sessionstore.upgradeBackup.latestBuildID: 20140127194636
  • browser.startup.homepage_override.buildID: 20140127194636
  • browser.startup.homepage_override.mstone: 27.0
  • dom.mozApps.used: True
  • extensions.lastAppVersion: 27.0
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1392050854
  • places.history.expiration.transient_current_max_pages: 104858
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • privacy.sanitize.migrateFx3Prefs: True
  • security.disable_button.openDeviceManager: False
  • storage.vacuum.last.index: 0
  • storage.vacuum.last.places.sqlite: 1392050852

Misc

  • User JS: No
  • Accessibility: No
guigs 1072 solutions 11697 answers

HI khetheri,

In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible.

There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues.

# In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear. 
  1. Click I'll be careful, I promise!, to continue to the about:config page.
  2. Search for browser.xul.error_pages.expert_bad_cert and set it to true to try the certificate normally.

Looking forward to your reply!

HI khetheri, In order to better test the certificate may we request the certificate without the private keys? I have some backup from the security team if this is possible. There is a temporary work around as well but I don't recommend turning on all certificates to make sure it is not a compatibility error(ish) It is possible to check if it is being detected as a bad certificate in Firefox itself to eliminate compatibility issues. # In the [[Location bar autocomplete|Location bar]], type '''about:config''' and press '''Enter'''. The about:config "''This might void your warranty!''" warning page may appear. # Click '''I'll be careful, I promise!''', to continue to the about:config page. # Search for '''browser.xul.error_pages.expert_bad_cert ''' and set it to true to try the certificate normally. Looking forward to your reply!

Question owner

rmcguigan,

Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same.

Regards, Khetheri

rmcguigan, Thanks for the suggestion. I had actuially already tried this. I neglected to say so in the write-up. However, the result was the same. Regards, Khetheri

Chosen Solution

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1

This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm.

This alternate signature algorithm is apparently not supported for use with Firefox 27.0

I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.

I finally found the issue. The ROOT CA had the following registry key setup when the SubCA cert was issued: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1 This cause the ROOT CA to issue the cert with a signature encrypted with RSASSA-PSS (1.2.840.113549.1.1.10) algorithm. This alternate signature algorithm is apparently not supported for use with Firefox 27.0 I changed the registry value on the ROOT CA to a value of 0. Renewed the IssuingCA cert(using the same private key) which is now showing with the sha256RSA encryption. I re-issued all my failing web certificates which are now using this new issuing CA chain without issue.