搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

only firefox has certificate issue "unknown_issuer" with self-signed certificate

more options

We have various Apache instances that host internal sites.

We have a Server 2012 Enterprise Certificate Authority with which we sign internal certificates. I have created a batch of new certificates for various sites, and Chrome, IE10+ as well as Opera and Safari have no issue with the self-signed cert.

The certificate chain is good, I used various tools to verify that the certificate is good.

Digicerts Tools, as well as browser and server loaded certificates. Please see the attached screenshots

Firefox claims the "unknown_issuer" error. But as you can see from the screenshots , the issuer is there and a complete chain is available.

What am I missing? We utilize Firefox in our environment quite a bit, Chrome is an alternative, but I'd liek to understand what is going on?

附加的畫面擷圖

被選擇的解決方法

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like


BEGIN PKCS7-----

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....


END PKCS7-----

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate


BEGIN CERTIFICATE-----

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....


END CERTIFICATE-----

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....


END CERTIFICATE-----

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root

從原來的回覆中察看解決方案 👍 0

所有回覆 (5)

more options

I'll start with the most common thing:

Is the server configured to send the intermediate certificates? Firefox either needs to receive them from the server, or to have previously received them from another server. Unlike some other browsers, Firefox will not seek them from other sources.

more options

Ha, I knew I forgot to include that. Yes, we declare the chain certificate in the apache config.

SSLCertificateFile "/apps/$SiteDir/conf/certs/$Cert.cer" SSLCertificateKeyFile "/apps/$SiteDir/conf/certs/$Cert.key" SSLCertificateChainFile "/apps/intermediate.cer"

more options

Hmm, I would expect to see the intermediate and root certs in the Digicert screen shot if the server is sending them. Am I misunderstanding how that tool works? What if you point it at another site for comparison.

more options

Did you check the certificate chain in Firefox and verified that the topmost in the chain has the appropriate trust bit(s) set if that isn't a built-in trusted root certificate?

more options

選擇的解決方法

jscher2000, you sent me down the right path. THANK YOU

openssl was being a bit tricky when converting my p7b file. Most guides out there miss a step.

What you usally find is: openssl pkcs7 -print_certs -in cert.p7b -out cert.crt

but the problem is it only converts the certificate to a PKCS7 certificate and does not output the actual chain. The file looks like


BEGIN PKCS7-----

MIII4AYJKoZIhvcNAQcCoIII0TC... .... .... ....


END PKCS7-----

which Apache cannot read.

The additional step is to convert the DER type to a PEM type, and then print the certificates:

openssl pkcs7 -inform DER cert.p7b -outform PEM cert.pem openssl pkcs7 -print_certs -in cert.pem -out certchain.crt

now the crt looks like: subject=****intermediate issuer=****intermediate


BEGIN CERTIFICATE-----

MIIE2TCCA8GgAwIBAgITJgAAAAKAG6X..... .... .... ....


END CERTIFICATE-----

subject=****root issuer=****root MIID1DCCArygAwIBAgIQF0mjFUDL.... .... .... ....


END CERTIFICATE-----

I have corrected the chaincert file , retsarted my apache and the digicert tool does indeed show subordinate and root