PositiveSSL in Firefox sec_error_unknown_issuer fix

PositiveSSL is signed by an intermediate certificate authorities whose certificate, however, is NOT stored in Firefox. If no issuer chain is provided, it will be considered as untrusted connection.

Recently PositiveSSL has changed its issuer chain for newer cert transitioning to the stronger SHA-2 hashing algorithm and the example may be outdated.

Here is an example of an issuer chain.

To solve this problem, the intermediate certificate should be presented.

On SERVER side, when receiving yoursite.crt, a file named PositiveSSLCA2.crt ( or COMODORSADomainValidationSecureServerCA.crt & COMODORSAAddTrustCA.crt ) is also provided. Append its content to yoursite.crt and make a new .crt file.

Be careful that the order should not be reversed or it will fail with the private.key. Moreover, the option Chained Certificate should be set to yes if using LiteSpeed Web Server.

On CLIENT side, the intermediate certificate PositiveSSLCA2.crt ( or COMODORSADomainValidationSecureServerCA.crt & COMODORSAAddTrustCA.crt ) can be imported to firefox CA Certificate List, which is however NOT always recommended because the .crt file should be guaranteed original.


Jul 2, 2013 @ 00:00

Leave a Reply

Your email address will not be published. Required fields are marked *

Please calculate * Time limit is exhausted. Please reload CAPTCHA.