Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Firefox is unable to parse my certificate while IE can. I imported my CA in both, IE is fine, Firefox says the certif is valid for the IP only, not the DNS name

  • 2 replies
  • 5 have this problem
  • 36 views
  • Last reply by j_bourdeau

j_bourdeau
j_bourdeau
more options

Full details : --Created a CA with PfSense --Created SSL server certificates for my own servers (ESX, PfSense, e-mail, ...) --Imported the CA in Internet Explorer as a new Trusted Root CA --Connect to my servers with their local DNS names and receive the page without warning --Imported the CA in Firefox as a new Authority --Connect to my server using the DNS name --Receive an error message : certificate is valid only for 172.31.1.20 (the IP address of the server) --Connect to my server using Firefox and the IP address and receive the page without warning

The CA is fine because it is used by both IE and Firefox and even when complaining, Firefox does not doubt the authority. The server certificate does include the name and IE can find it. It is true that when I created the certif, I added an extra field with the IP address. The certificate should be valid for both, the DNS name and the IP. When I try to connect to the server with IE using the IP address, now it is IE who is complaining that the certificate is valid only for the name :-)

What should I do for Firefox to accept my certificate by its name and validate it with the CA instead of doing multiple exceptions for everything ?

Here is the certificate as sent by the server:

BEGIN CERTIFICATE-----

MIIF5jCCA86gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxDTALBgNVBAoTBEhv bWUxGzAZBgkqhkiG9w0BCQEWDGFkbWluQGpiLmxhbjESMBAGA1UEAxQJSkJfTGFu X0NBMQ4wDAYDVQQLEwVJVFNlYzAeFw0xNjExMTIwMjI1MjRaFw0yNjExMTAwMjI1 MjRaMIGCMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhN b250cmVhbDENMAsGA1UEChMESG9tZTEbMBkGCSqGSIb3DQEJARYMYWRtaW5AamIu bGFuMRMwEQYDVQQDEwplc3guamIubGFuMQ4wDAYDVQQLEwVJVFNlYzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWoRcxHoBjR2rKOPAI/dtpWlTiqOGDg zZZWJ6n24ZYUfh9L6vUmzqajfAbj6+fndzKahb69PLi+tsnt39yGsKWkXUd3y7Wq 5PkaGSqi/mJKB7/H0qL4Ig2FK9/uK9QGK019NvDN1jnLgF6MoNAIZEOVjqalpnXD O8Eu+vaKPsHbvNziNj7uQR8CdcMU9lEF6gcmFu8xOrukb3ocpyJ307PHqx3AlrU0 sBuit21glineB9XKMyBaon9D3mrNUXmvHy3xcBvHPwcgqnNDKd7CZwdfaXw4Hb4i t7BYgSsn66UxPcrDvoho9aDbXnjmOuPCo/FMsZxfr9ETZyGIllsXE2UCAwEAAaOC AWQwggFgMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIB DQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFEILwkf/4I50YT+fZ/2wcETS6CBVMIGuBgNVHSMEgaYwgaOAFEgmUROxoVJM txyWvypJ4wcF8B2RoYGHpIGEMIGBMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVl YmVjMREwDwYDVQQHEwhNb250cmVhbDENMAsGA1UEChMESG9tZTEbMBkGCSqGSIb3 DQEJARYMYWRtaW5AamIubGFuMRIwEAYDVQQDFAlKQl9MYW5fQ0ExDjAMBgNVBAsT BUlUU2VjggEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQgCAjALBgNVHQ8E BAMCBaAwDwYDVR0RBAgwBocErB8BFDANBgkqhkiG9w0BAQsFAAOCAgEABCFChNXJ ACISi+7hNbpiwIsjpDB0fLKB/9sPXC1uiwzGv7o/fkImYPJzQcKP0a3V6elX4kd7 x1poYAfawVIpKJgwzgEWnMJADgPKVMymkxBr3Qlq+3oAiC4pTdI79GKaZKshxANS 7OBoklRDYWStHnCdw96IWuu6Ih2mbsbRVUFIJnHPHpCFS1J45tLYWoxPL/L1uX3v /Pz8SollYXtZ+uVhdkkzJcHcEsZjvBe3eMmxm93l7Cy/5kCDf2+kx67weNRrxbFt VaEyFCypCJlJn4Gj17y0JnhPUN1/h7Ck4XcTLX28+Ab2Ls9/rXnXMQvkKcrRhvyT CV4XJ756hap/zT+KJJzY8+T5ggdkKlcbZsvvgVSuNNv1aSQmR+bbF5ry23oszXVO FaEEAtcofaHa5MMebNNWrz4o/qYuPGBnVq3NmxiNNKm+/Ed5ky4AdkXT7Ny11mgA C2DzGahyXfbfGFa21ig/R0NAxkP00TXWiuSE/7B/EGe9qNDB+WF7Qb5I9U6EoWYZ aSXf1H2tLSMc9n3LH8g0lDgpcC6P484ef1cmG3/hVD5QLWyjblMnF0XjbMyij5Hj eTrPLTwW8AYjoIz0DZRoVPxpdz/o+EEmE8G/43ClaZCorJJN7iZwwMx2iQJgyuea hy9hgXU5GjmXmrpqmtvyGxrywalcXPzvFOs=

END CERTIFICATE-----

Here is the certificate of the CA who signed it

BEGIN CERTIFICATE-----

MIIGbjCCBFagAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxDTALBgNVBAoTBEhv bWUxGzAZBgkqhkiG9w0BCQEWDGFkbWluQGpiLmxhbjESMBAGA1UEAxQJSkJfTGFu X0NBMQ4wDAYDVQQLEwVJVFNlYzAeFw0xNjExMDYxMTQzNTJaFw0zNjExMDExMTQz NTJaMIGBMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhN b250cmVhbDENMAsGA1UEChMESG9tZTEbMBkGCSqGSIb3DQEJARYMYWRtaW5AamIu bGFuMRIwEAYDVQQDFAlKQl9MYW5fQ0ExDjAMBgNVBAsTBUlUU2VjMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtRfmJ8HhxD6OeBSTdiK36DF/Gw7HmOIO CN9LktUCcnXZfsbkyPwGq8AtLTURfYU1VKHw066g0XD0hEbFEaYIWvVKijiqaPZg Pc/pIAj+M7vzojeCnv6QiRTcC9q5rY9+Ff7MuTkWKEPzjuXpHd+IoS4To3sVZgsy YcxrdRndcirxm6aFjGXIYaImPm3hLuMteSagacsjduGEDOpJ5hJoMIIX4kHE/x8J DFBvlllXIGiOgCHU+8hcN1IadNFqQcWA3eFB5SgLPFxOOmR4xpB1LsrESC4Zgk/E XmZYBCsYHzg58Cq6r4xuwckutcd5Gjo9ujaafCfAlUFHFJxqLxyy+N0nd3P+i5Kd zPpwpyIAzOCPeZvM2chspspl3pER+RlqZODLoU3gSAz4z+knxKxeyyiK8cttMHkV Di5veqSRIxYeYtJqu0asEaBiQ0ZpdqsNcQEU3rwzo6uoxxgvRr2Ujb6csr8CqhuA 2Sz0W1upgcpZhuL0VMTkMS8P8fgzZZeIU85v7drldXsvpjzaMwHdm/MKGewA0eCZ fUTI6V+uY9oaT9GH8MPzGWzB4oYb3sRgKgLkvWGckyHe3YVwUpb4z/MXRFB3bN/Z qxIyochY8pJMcJe2jrTw79Sf9FAR/txonPBAxuNtGLIdcL4ElGjlXPDXlQrI8XbI n/Abbs3iFHsCAwEAAaOB7jCB6zAdBgNVHQ4EFgQUSCZRE7GhUky3HJa/KknjBwXw HZEwga4GA1UdIwSBpjCBo4AUSCZRE7GhUky3HJa/KknjBwXwHZGhgYekgYQwgYEx CzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxETAPBgNVBAcTCE1vbnRyZWFs MQ0wCwYDVQQKEwRIb21lMRswGQYJKoZIhvcNAQkBFgxhZG1pbkBqYi5sYW4xEjAQ BgNVBAMUCUpCX0xhbl9DQTEOMAwGA1UECxMFSVRTZWOCAQAwDAYDVR0TBAUwAwEB /zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAHVLp0nsXNHjvcjWado0 v1M167gEv8SnLMzDRJ7rOwfQlG0JWIXgrMk+9bLQixFPbClG2MzOGhq2gyXbTFEH PYLfOxRy5gsrYhBYKso4PNrP8ouBaedl/+huobFtd1SR4bNrZ5Be3crQkZhULmlv hSVWklOC+o0rdfPnDffDRtoWH1x1/+ZRS0N0MSwXqeoQTEgu9CYRCEeLnidcdd1v e6XR+Qw2qLfPqBCKzCVNGZvpVjqakERxaLgWPqwixIQ4sdPjvtnUJxsUEo5hN+6/ Do+os/HZ1iO3Bgi6DgAGToTSmsf5+pI/z+o2FjDrDvbBhvf4FulvvOCsRBNkA5BK NgisFXP/FN3WlkrbM1OZjWIan1phQAw5mDLfqwxJE+BuedK1HqLRNTay9eOGSRSu TRIi26fwwMAdsPnDj3X7/aUCWslVrvZPRmsIOgykLuHlCgYD99mpzF0v+t8y05iE V3115CCve+qFHH52j078jxo1aKyfQTnRGvdGehWI77Pd/l9CMgNJ7K0ZRx6RUoEV 9CMH6kgqagkXU7eT2CXszxrGHAgybnNaJ/z4BjxDme0TH3bgLc4AOIiP8doe7KlJ lYvrG8UMtCkL1jhYFX4Rz/BH5yte7aqzwBVUZrcmvM2gU9ZyPNaAfCDygCUMeMqt OWQEicvGZtRj2ZK6PKv5hk0a

END CERTIFICATE-----
Full details : --Created a CA with PfSense --Created SSL server certificates for my own servers (ESX, PfSense, e-mail, ...) --Imported the CA in Internet Explorer as a new Trusted Root CA --Connect to my servers with their local DNS names and receive the page without warning --Imported the CA in Firefox as a new Authority --Connect to my server using the DNS name --Receive an error message : certificate is valid only for 172.31.1.20 (the IP address of the server) --Connect to my server using Firefox and the IP address and receive the page without warning The CA is fine because it is used by both IE and Firefox and even when complaining, Firefox does not doubt the authority. The server certificate does include the name and IE can find it. It is true that when I created the certif, I added an extra field with the IP address. The certificate should be valid for both, the DNS name and the IP. When I try to connect to the server with IE using the IP address, now it is IE who is complaining that the certificate is valid only for the name :-) What should I do for Firefox to accept my certificate by its name and validate it with the CA instead of doing multiple exceptions for everything ? Here is the certificate as sent by the server: -----BEGIN CERTIFICATE----- MIIF5jCCA86gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxDTALBgNVBAoTBEhv bWUxGzAZBgkqhkiG9w0BCQEWDGFkbWluQGpiLmxhbjESMBAGA1UEAxQJSkJfTGFu X0NBMQ4wDAYDVQQLEwVJVFNlYzAeFw0xNjExMTIwMjI1MjRaFw0yNjExMTAwMjI1 MjRaMIGCMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhN b250cmVhbDENMAsGA1UEChMESG9tZTEbMBkGCSqGSIb3DQEJARYMYWRtaW5AamIu bGFuMRMwEQYDVQQDEwplc3guamIubGFuMQ4wDAYDVQQLEwVJVFNlYzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWoRcxHoBjR2rKOPAI/dtpWlTiqOGDg zZZWJ6n24ZYUfh9L6vUmzqajfAbj6+fndzKahb69PLi+tsnt39yGsKWkXUd3y7Wq 5PkaGSqi/mJKB7/H0qL4Ig2FK9/uK9QGK019NvDN1jnLgF6MoNAIZEOVjqalpnXD O8Eu+vaKPsHbvNziNj7uQR8CdcMU9lEF6gcmFu8xOrukb3ocpyJ307PHqx3AlrU0 sBuit21glineB9XKMyBaon9D3mrNUXmvHy3xcBvHPwcgqnNDKd7CZwdfaXw4Hb4i t7BYgSsn66UxPcrDvoho9aDbXnjmOuPCo/FMsZxfr9ETZyGIllsXE2UCAwEAAaOC AWQwggFgMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIB DQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFEILwkf/4I50YT+fZ/2wcETS6CBVMIGuBgNVHSMEgaYwgaOAFEgmUROxoVJM txyWvypJ4wcF8B2RoYGHpIGEMIGBMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVl YmVjMREwDwYDVQQHEwhNb250cmVhbDENMAsGA1UEChMESG9tZTEbMBkGCSqGSIb3 DQEJARYMYWRtaW5AamIubGFuMRIwEAYDVQQDFAlKQl9MYW5fQ0ExDjAMBgNVBAsT BUlUU2VjggEAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQgCAjALBgNVHQ8E BAMCBaAwDwYDVR0RBAgwBocErB8BFDANBgkqhkiG9w0BAQsFAAOCAgEABCFChNXJ ACISi+7hNbpiwIsjpDB0fLKB/9sPXC1uiwzGv7o/fkImYPJzQcKP0a3V6elX4kd7 x1poYAfawVIpKJgwzgEWnMJADgPKVMymkxBr3Qlq+3oAiC4pTdI79GKaZKshxANS 7OBoklRDYWStHnCdw96IWuu6Ih2mbsbRVUFIJnHPHpCFS1J45tLYWoxPL/L1uX3v /Pz8SollYXtZ+uVhdkkzJcHcEsZjvBe3eMmxm93l7Cy/5kCDf2+kx67weNRrxbFt VaEyFCypCJlJn4Gj17y0JnhPUN1/h7Ck4XcTLX28+Ab2Ls9/rXnXMQvkKcrRhvyT CV4XJ756hap/zT+KJJzY8+T5ggdkKlcbZsvvgVSuNNv1aSQmR+bbF5ry23oszXVO FaEEAtcofaHa5MMebNNWrz4o/qYuPGBnVq3NmxiNNKm+/Ed5ky4AdkXT7Ny11mgA C2DzGahyXfbfGFa21ig/R0NAxkP00TXWiuSE/7B/EGe9qNDB+WF7Qb5I9U6EoWYZ aSXf1H2tLSMc9n3LH8g0lDgpcC6P484ef1cmG3/hVD5QLWyjblMnF0XjbMyij5Hj eTrPLTwW8AYjoIz0DZRoVPxpdz/o+EEmE8G/43ClaZCorJJN7iZwwMx2iQJgyuea hy9hgXU5GjmXmrpqmtvyGxrywalcXPzvFOs= -----END CERTIFICATE----- Here is the certificate of the CA who signed it -----BEGIN CERTIFICATE----- MIIGbjCCBFagAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxDTALBgNVBAoTBEhv bWUxGzAZBgkqhkiG9w0BCQEWDGFkbWluQGpiLmxhbjESMBAGA1UEAxQJSkJfTGFu X0NBMQ4wDAYDVQQLEwVJVFNlYzAeFw0xNjExMDYxMTQzNTJaFw0zNjExMDExMTQz NTJaMIGBMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhN b250cmVhbDENMAsGA1UEChMESG9tZTEbMBkGCSqGSIb3DQEJARYMYWRtaW5AamIu bGFuMRIwEAYDVQQDFAlKQl9MYW5fQ0ExDjAMBgNVBAsTBUlUU2VjMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtRfmJ8HhxD6OeBSTdiK36DF/Gw7HmOIO CN9LktUCcnXZfsbkyPwGq8AtLTURfYU1VKHw066g0XD0hEbFEaYIWvVKijiqaPZg Pc/pIAj+M7vzojeCnv6QiRTcC9q5rY9+Ff7MuTkWKEPzjuXpHd+IoS4To3sVZgsy YcxrdRndcirxm6aFjGXIYaImPm3hLuMteSagacsjduGEDOpJ5hJoMIIX4kHE/x8J DFBvlllXIGiOgCHU+8hcN1IadNFqQcWA3eFB5SgLPFxOOmR4xpB1LsrESC4Zgk/E XmZYBCsYHzg58Cq6r4xuwckutcd5Gjo9ujaafCfAlUFHFJxqLxyy+N0nd3P+i5Kd zPpwpyIAzOCPeZvM2chspspl3pER+RlqZODLoU3gSAz4z+knxKxeyyiK8cttMHkV Di5veqSRIxYeYtJqu0asEaBiQ0ZpdqsNcQEU3rwzo6uoxxgvRr2Ujb6csr8CqhuA 2Sz0W1upgcpZhuL0VMTkMS8P8fgzZZeIU85v7drldXsvpjzaMwHdm/MKGewA0eCZ fUTI6V+uY9oaT9GH8MPzGWzB4oYb3sRgKgLkvWGckyHe3YVwUpb4z/MXRFB3bN/Z qxIyochY8pJMcJe2jrTw79Sf9FAR/txonPBAxuNtGLIdcL4ElGjlXPDXlQrI8XbI n/Abbs3iFHsCAwEAAaOB7jCB6zAdBgNVHQ4EFgQUSCZRE7GhUky3HJa/KknjBwXw HZEwga4GA1UdIwSBpjCBo4AUSCZRE7GhUky3HJa/KknjBwXwHZGhgYekgYQwgYEx CzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxETAPBgNVBAcTCE1vbnRyZWFs MQ0wCwYDVQQKEwRIb21lMRswGQYJKoZIhvcNAQkBFgxhZG1pbkBqYi5sYW4xEjAQ BgNVBAMUCUpCX0xhbl9DQTEOMAwGA1UECxMFSVRTZWOCAQAwDAYDVR0TBAUwAwEB /zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAHVLp0nsXNHjvcjWado0 v1M167gEv8SnLMzDRJ7rOwfQlG0JWIXgrMk+9bLQixFPbClG2MzOGhq2gyXbTFEH PYLfOxRy5gsrYhBYKso4PNrP8ouBaedl/+huobFtd1SR4bNrZ5Be3crQkZhULmlv hSVWklOC+o0rdfPnDffDRtoWH1x1/+ZRS0N0MSwXqeoQTEgu9CYRCEeLnidcdd1v e6XR+Qw2qLfPqBCKzCVNGZvpVjqakERxaLgWPqwixIQ4sdPjvtnUJxsUEo5hN+6/ Do+os/HZ1iO3Bgi6DgAGToTSmsf5+pI/z+o2FjDrDvbBhvf4FulvvOCsRBNkA5BK NgisFXP/FN3WlkrbM1OZjWIan1phQAw5mDLfqwxJE+BuedK1HqLRNTay9eOGSRSu TRIi26fwwMAdsPnDj3X7/aUCWslVrvZPRmsIOgykLuHlCgYD99mpzF0v+t8y05iE V3115CCve+qFHH52j078jxo1aKyfQTnRGvdGehWI77Pd/l9CMgNJ7K0ZRx6RUoEV 9CMH6kgqagkXU7eT2CXszxrGHAgybnNaJ/z4BjxDme0TH3bgLc4AOIiP8doe7KlJ lYvrG8UMtCkL1jhYFX4Rz/BH5yte7aqzwBVUZrcmvM2gU9ZyPNaAfCDygCUMeMqt OWQEicvGZtRj2ZK6PKv5hk0a -----END CERTIFICATE-----

Chosen solution

In Firefox, a non-empty Subject Alternative Names list overrides and replaces the Common Name field. So you need to list all relevant host names in the SAN field in your certificate.

Read this answer in context 👍 2

All Replies (2)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Chosen Solution

In Firefox, a non-empty Subject Alternative Names list overrides and replaces the Common Name field. So you need to list all relevant host names in the SAN field in your certificate.

j_bourdeau
j_bourdeau Question owner
more options

Thanks for the info. Surely IE is doing the opposite : ignoring the SAN completely. It would be typical for Microsoft to do so. I will re-emit my certificates for fixing the situation for me right now. I think that Firefox should not discard the CN when SAN is used in a certif. SAN should be added to CN, not overwrite it... In all cases, thanks for your help,